@@ -5842,6 +5842,7 @@ spec:
58425842 defaultNamespace:
58435843 autoProvision: true
58445844 template: <username>-che
5845+ disableContainerRunCapabilities: true
58455846 maxNumberOfWorkspacesPerUser: -1
58465847 secondsOfInactivityBeforeIdling: 1800
58475848 secondsOfRunBeforeIdling: -1
@@ -5875,6 +5876,230 @@ spec:
58755876 required:
58765877 - openShiftSecurityContextConstraint
58775878 type: object
5879+ containerRunConfiguration:
5880+ description: Container run configuration.
5881+ properties:
5882+ containerSecurityContext:
5883+ default:
5884+ allowPrivilegeEscalation: true
5885+ capabilities:
5886+ add:
5887+ - SETGID
5888+ - SETUID
5889+ procMount: Unmasked
5890+ description: |-
5891+ SecurityContext applied to all workspace containers when run capabilities are enabled.
5892+ The default `procMount: "Unmasked"` is set because the pod runs in a user namespace,
5893+ which safely isolates the container's `/proc` from the host. This allows the container
5894+ to modify its own sysctl settings for configuring networking for nested containers.
5895+ properties:
5896+ allowPrivilegeEscalation:
5897+ description: |-
5898+ AllowPrivilegeEscalation controls whether a process can gain more
5899+ privileges than its parent process. This bool directly controls if
5900+ the no_new_privs flag will be set on the container process.
5901+ AllowPrivilegeEscalation is true always when the container is:
5902+ 1) run as Privileged
5903+ 2) has CAP_SYS_ADMIN
5904+ Note that this field cannot be set when spec.os.name is windows.
5905+ type: boolean
5906+ appArmorProfile:
5907+ description: |-
5908+ appArmorProfile is the AppArmor options to use by this container. If set, this profile
5909+ overrides the pod's appArmorProfile.
5910+ Note that this field cannot be set when spec.os.name is windows.
5911+ properties:
5912+ localhostProfile:
5913+ description: |-
5914+ localhostProfile indicates a profile loaded on the node that should be used.
5915+ The profile must be preconfigured on the node to work.
5916+ Must match the loaded name of the profile.
5917+ Must be set if and only if type is "Localhost".
5918+ type: string
5919+ type:
5920+ description: |-
5921+ type indicates which kind of AppArmor profile will be applied.
5922+ Valid options are:
5923+ Localhost - a profile pre-loaded on the node.
5924+ RuntimeDefault - the container runtime's default profile.
5925+ Unconfined - no AppArmor enforcement.
5926+ type: string
5927+ required:
5928+ - type
5929+ type: object
5930+ capabilities:
5931+ description: |-
5932+ The capabilities to add/drop when running containers.
5933+ Defaults to the default set of capabilities granted by the container runtime.
5934+ Note that this field cannot be set when spec.os.name is windows.
5935+ properties:
5936+ add:
5937+ description: Added capabilities
5938+ items:
5939+ description: Capability represent POSIX capabilities
5940+ type
5941+ type: string
5942+ type: array
5943+ x-kubernetes-list-type: atomic
5944+ drop:
5945+ description: Removed capabilities
5946+ items:
5947+ description: Capability represent POSIX capabilities
5948+ type
5949+ type: string
5950+ type: array
5951+ x-kubernetes-list-type: atomic
5952+ type: object
5953+ privileged:
5954+ description: |-
5955+ Run container in privileged mode.
5956+ Processes in privileged containers are essentially equivalent to root on the host.
5957+ Defaults to false.
5958+ Note that this field cannot be set when spec.os.name is windows.
5959+ type: boolean
5960+ procMount:
5961+ description: |-
5962+ procMount denotes the type of proc mount to use for the containers.
5963+ The default value is Default which uses the container runtime defaults for
5964+ readonly paths and masked paths.
5965+ This requires the ProcMountType feature flag to be enabled.
5966+ Note that this field cannot be set when spec.os.name is windows.
5967+ type: string
5968+ readOnlyRootFilesystem:
5969+ description: |-
5970+ Whether this container has a read-only root filesystem.
5971+ Default is false.
5972+ Note that this field cannot be set when spec.os.name is windows.
5973+ type: boolean
5974+ runAsGroup:
5975+ description: |-
5976+ The GID to run the entrypoint of the container process.
5977+ Uses runtime default if unset.
5978+ May also be set in PodSecurityContext. If set in both SecurityContext and
5979+ PodSecurityContext, the value specified in SecurityContext takes precedence.
5980+ Note that this field cannot be set when spec.os.name is windows.
5981+ format: int64
5982+ type: integer
5983+ runAsNonRoot:
5984+ description: |-
5985+ Indicates that the container must run as a non-root user.
5986+ If true, the Kubelet will validate the image at runtime to ensure that it
5987+ does not run as UID 0 (root) and fail to start the container if it does.
5988+ If unset or false, no such validation will be performed.
5989+ May also be set in PodSecurityContext. If set in both SecurityContext and
5990+ PodSecurityContext, the value specified in SecurityContext takes precedence.
5991+ type: boolean
5992+ runAsUser:
5993+ description: |-
5994+ The UID to run the entrypoint of the container process.
5995+ Defaults to user specified in image metadata if unspecified.
5996+ May also be set in PodSecurityContext. If set in both SecurityContext and
5997+ PodSecurityContext, the value specified in SecurityContext takes precedence.
5998+ Note that this field cannot be set when spec.os.name is windows.
5999+ format: int64
6000+ type: integer
6001+ seLinuxOptions:
6002+ description: |-
6003+ The SELinux context to be applied to the container.
6004+ If unspecified, the container runtime will allocate a random SELinux context for each
6005+ container. May also be set in PodSecurityContext. If set in both SecurityContext and
6006+ PodSecurityContext, the value specified in SecurityContext takes precedence.
6007+ Note that this field cannot be set when spec.os.name is windows.
6008+ properties:
6009+ level:
6010+ description: Level is SELinux level label that applies
6011+ to the container.
6012+ type: string
6013+ role:
6014+ description: Role is a SELinux role label that applies
6015+ to the container.
6016+ type: string
6017+ type:
6018+ description: Type is a SELinux type label that applies
6019+ to the container.
6020+ type: string
6021+ user:
6022+ description: User is a SELinux user label that applies
6023+ to the container.
6024+ type: string
6025+ type: object
6026+ seccompProfile:
6027+ description: |-
6028+ The seccomp options to use by this container. If seccomp options are
6029+ provided at both the pod & container level, the container options
6030+ override the pod options.
6031+ Note that this field cannot be set when spec.os.name is windows.
6032+ properties:
6033+ localhostProfile:
6034+ description: |-
6035+ localhostProfile indicates a profile defined in a file on the node should be used.
6036+ The profile must be preconfigured on the node to work.
6037+ Must be a descending path, relative to the kubelet's configured seccomp profile location.
6038+ Must be set if type is "Localhost". Must NOT be set for any other type.
6039+ type: string
6040+ type:
6041+ description: |-
6042+ type indicates which kind of seccomp profile will be applied.
6043+ Valid options are:
6044+
6045+ Localhost - a profile defined in a file on the node should be used.
6046+ RuntimeDefault - the container runtime default profile should be used.
6047+ Unconfined - no profile should be applied.
6048+ type: string
6049+ required:
6050+ - type
6051+ type: object
6052+ windowsOptions:
6053+ description: |-
6054+ The Windows specific settings applied to all containers.
6055+ If unspecified, the options from the PodSecurityContext will be used.
6056+ If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
6057+ Note that this field cannot be set when spec.os.name is linux.
6058+ properties:
6059+ gmsaCredentialSpec:
6060+ description: |-
6061+ GMSACredentialSpec is where the GMSA admission webhook
6062+ (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
6063+ GMSA credential spec named by the GMSACredentialSpecName field.
6064+ type: string
6065+ gmsaCredentialSpecName:
6066+ description: GMSACredentialSpecName is the name of
6067+ the GMSA credential spec to use.
6068+ type: string
6069+ hostProcess:
6070+ description: |-
6071+ HostProcess determines if a container should be run as a 'Host Process' container.
6072+ All of a Pod's containers must have the same effective HostProcess value
6073+ (it is not allowed to have a mix of HostProcess containers and non-HostProcess containers).
6074+ In addition, if HostProcess is true then HostNetwork must also be set to true.
6075+ type: boolean
6076+ runAsUserName:
6077+ description: |-
6078+ The UserName in Windows to run the entrypoint of the container process.
6079+ Defaults to the user specified in image metadata if unspecified.
6080+ May also be set in PodSecurityContext. If set in both SecurityContext and
6081+ PodSecurityContext, the value specified in SecurityContext takes precedence.
6082+ type: string
6083+ type: object
6084+ type: object
6085+ openShiftSecurityContextConstraint:
6086+ default: container-run
6087+ description: Specifies the OpenShift SecurityContextConstraint
6088+ used to run containers.
6089+ type: string
6090+ workspacesPodAnnotations:
6091+ additionalProperties:
6092+ type: string
6093+ default:
6094+ io.kubernetes.cri-o.Devices: /dev/fuse,/dev/net/tun
6095+ description: |-
6096+ Extra annotations applied to all workspace pods, in addition to those defined
6097+ in `devEnvironments.workspacePodAnnotations`. Enables `/dev/fuse` for access to the fuse driver
6098+ and `/dev/net/tun` for safe network access.
6099+ type: object
6100+ required:
6101+ - openShiftSecurityContextConstraint
6102+ type: object
58786103 defaultComponents:
58796104 description: |-
58806105 Default components applied to DevWorkspaces.
@@ -7437,6 +7662,15 @@ spec:
74377662 - SETGID
74387663 - SETUID
74397664 type: boolean
7665+ disableContainerRunCapabilities:
7666+ default: true
7667+ description: |-
7668+ Disables container run capabilities.
7669+ Can be enabled on OpenShift version 4.20 or later.
7670+ When set to `false`, the value from `devEnvironments.security.containerSecurityContext`
7671+ is ignored, and instead the SecurityContext defined in
7672+ `devEnvironments.containerRunConfiguration.containerSecurityContext` is applied.
7673+ type: boolean
74407674 editorsDownloadUrls:
74417675 description: |-
74427676 EditorsDownloadUrls provides a list of custom download URLs for JetBrains editors
@@ -8051,9 +8285,10 @@ spec:
80518285 properties:
80528286 containerSecurityContext:
80538287 description: |-
8054- Container SecurityContext used by all workspace-related containers.
8055- If set, defined values are merged into the default Container SecurityContext configuration.
8056- Requires devEnvironments.disableContainerBuildCapabilities to be set to `true` in order to take effect.
8288+ Defines the SecurityContext applied to all workspace-related containers.
8289+ When set, the specified values are merged with the default SecurityContext configuration.
8290+ This setting takes effect only if both `devEnvironments.disableContainerBuildCapabilities`
8291+ and `devEnvironments.disableContainerRunCapabilities` are set to `true`.
80578292 properties:
80588293 allowPrivilegeEscalation:
80598294 description: |-
0 commit comments