implement runAsGroup

Author: Rohit Patil

openapi/generated_openapi/zz_generated.openapi.go

@@ -37959,6 +37959,25 @@
         }
       }
     },
+    "com.github.openshift.api.security.v1.RunAsGroupStrategyOptions": {
+      "description": "RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.",
+      "type": "object",
+      "properties": {
+        "ranges": {
+          "description": "ranges are the allowed ranges of gids.  If you would like to force a single gid then supply a single range with the same start and end.",
+          "type": "array",
+          "items": {
+            "default": {},
+            "$ref": "#/definitions/com.github.openshift.api.security.v1.IDRange"
+          },
+          "x-kubernetes-list-type": "atomic"
+        },
+        "type": {
+          "description": "type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.",
+          "type": "string"
+        }
+      }
+    },
     "com.github.openshift.api.security.v1.SELinuxContextStrategyOptions": {
       "description": "SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.",
       "type": "object",
@@ -38120,6 +38139,11 @@
           },
           "x-kubernetes-list-type": "atomic"
         },
+        "runAsGroup": {
+          "description": "runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext.",
+          "default": {},
+          "$ref": "#/definitions/com.github.openshift.api.security.v1.RunAsGroupStrategyOptions"
+        },
         "runAsUser": {
           "description": "runAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.",
           "default": {},

openapi/openapi.json

@@ -38,6 +38,10 @@ spec:
       jsonPath: .fsGroup.type
       name: FSGroup
       type: string
+    - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext
+      jsonPath: .runAsGroup.type
+      name: RunAsGroup
+      type: string
     - description: Strategy that will dictate what supplemental groups are used by
         the SecurityContext
       jsonPath: .supplementalGroups.type
@@ -256,6 +260,34 @@ spec:
             nullable: true
             type: array
             x-kubernetes-list-type: atomic
+          runAsGroup:
+            description: runAsGroup is the strategy that will dictate what RunAsGroup
+              is used in the SecurityContext.
+            nullable: true
+            properties:
+              ranges:
+                description: |-
+                  ranges are the allowed ranges of gids.  If you would like to force a single
+                  gid then supply a single range with the same start and end.
+                items:
+                  description: IDRange provides a min/max of an allowed range of IDs.
+                  properties:
+                    max:
+                      description: max is the end of the range, inclusive.
+                      format: int64
+                      type: integer
+                    min:
+                      description: min is the start of the range, inclusive.
+                      format: int64
+                      type: integer
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              type:
+                description: type is the strategy that will dictate what RunAsGroup
+                  is used in the SecurityContext.
+                type: string
+            type: object
           runAsUser:
             description: runAsUser is the strategy that will dictate what RunAsUser
               is used in the SecurityContext.

payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml

@@ -31,6 +31,7 @@ var AllowAllCapabilities corev1.Capability = "*"
 // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=.seLinuxContext.type,description="Strategy that will dictate what labels will be set in the SecurityContext"
 // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=.runAsUser.type,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
 // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=.fsGroup.type,description="Strategy that will dictate what fs group is used by the SecurityContext"
+// +kubebuilder:printcolumn:name="RunAsGroup",type=string,JSONPath=.runAsGroup.type,description="Strategy that will dictate what RunAsGroup is used by the SecurityContext"
 // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=.supplementalGroups.type,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
 // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=.priority,description="Sort order of SCCs"
 // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=.readOnlyRootFilesystem,description="Force containers to run with a read only root file system"
@@ -131,6 +132,9 @@ type SecurityContextConstraints struct {
 	// fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
 	// +nullable
 	FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" protobuf:"bytes,16,opt,name=fsGroup"`
+	// runAsGroup is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+	// +nullable
+	RunAsGroup RunAsGroupStrategyOptions `json:"runAsGroup,omitempty" protobuf:"bytes,27,opt,name=runAsGroup"`
 	// readOnlyRootFilesystem when set to true will force containers to run with a read only root file
 	// system.  If the container specifically requests to run with a non-read only root file system
 	// the SCC should deny the pod.
@@ -268,6 +272,16 @@ type SupplementalGroupsStrategyOptions struct {
 	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
 }
 
+// RunAsGroupStrategyOptions defines the strategy type and options used to create the strategy.
+type RunAsGroupStrategyOptions struct {
+	// type is the strategy that will dictate what RunAsGroup is used in the SecurityContext.
+	Type RunAsGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsGroupStrategyType"`
+	// ranges are the allowed ranges of gids.  If you would like to force a single
+	// gid then supply a single range with the same start and end.
+	// +listType=atomic
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+}
+
 // IDRange provides a min/max of an allowed range of IDs.
 // TODO: this could be reused for UIDs.
 type IDRange struct {
@@ -296,6 +310,10 @@ type SupplementalGroupsStrategyType string
 // SecurityContext
 type FSGroupStrategyType string
 
+// RunAsGroupStrategyType denotes strategy types for generating RunAsGroup values for a
+// SecurityContext
+type RunAsGroupStrategyType string
+
 const (
 	// NamespaceLevelAllowHost allows a pod to set `hostUsers` field to either `true` or `false`
 	NamespaceLevelAllowHost NamespaceLevelType = "AllowHostLevel"
@@ -321,6 +339,11 @@ const (
 	// container may make requests for any FSGroup labels.
 	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
 
+	// container must have RunAsGroup of X applied.
+	RunAsGroupStrategyMustRunAs RunAsGroupStrategyType = "MustRunAs"
+	// container may make requests for any RunAsGroup.
+	RunAsGroupStrategyRunAsAny RunAsGroupStrategyType = "RunAsAny"
+
 	// container must run as a particular gid.
 	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
 	// container may make requests for any gid.

security/v1/types.go

@@ -38,6 +38,10 @@ spec:
       jsonPath: .fsGroup.type
       name: FSGroup
       type: string
+    - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext
+      jsonPath: .runAsGroup.type
+      name: RunAsGroup
+      type: string
     - description: Strategy that will dictate what supplemental groups are used by
         the SecurityContext
       jsonPath: .supplementalGroups.type
@@ -256,6 +260,34 @@ spec:
             nullable: true
             type: array
             x-kubernetes-list-type: atomic
+          runAsGroup:
+            description: runAsGroup is the strategy that will dictate what RunAsGroup
+              is used in the SecurityContext.
+            nullable: true
+            properties:
+              ranges:
+                description: |-
+                  ranges are the allowed ranges of gids.  If you would like to force a single
+                  gid then supply a single range with the same start and end.
+                items:
+                  description: IDRange provides a min/max of an allowed range of IDs.
+                  properties:
+                    max:
+                      description: max is the end of the range, inclusive.
+                      format: int64
+                      type: integer
+                    min:
+                      description: min is the start of the range, inclusive.
+                      format: int64
+                      type: integer
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              type:
+                description: type is the strategy that will dictate what RunAsGroup
+                  is used in the SecurityContext.
+                type: string
+            type: object
           runAsUser:
             description: runAsUser is the strategy that will dictate what RunAsUser
               is used in the SecurityContext.

security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml

@@ -36,6 +36,10 @@ securitycontextconstraints.security.openshift.io:
     jsonPath: .fsGroup.type
     name: FSGroup
     type: string
+  - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext
+    jsonPath: .runAsGroup.type
+    name: RunAsGroup
+    type: string
   - description: Strategy that will dictate what supplemental groups are used by the
       SecurityContext
     jsonPath: .supplementalGroups.type

security/v1/zz_generated.deepcopy.go

@@ -39,6 +39,10 @@ spec:
       jsonPath: .fsGroup.type
       name: FSGroup
       type: string
+    - description: Strategy that will dictate what RunAsGroup is used by the SecurityContext
+      jsonPath: .runAsGroup.type
+      name: RunAsGroup
+      type: string
     - description: Strategy that will dictate what supplemental groups are used by
         the SecurityContext
       jsonPath: .supplementalGroups.type
@@ -257,6 +261,34 @@ spec:
             nullable: true
             type: array
             x-kubernetes-list-type: atomic
+          runAsGroup:
+            description: runAsGroup is the strategy that will dictate what RunAsGroup
+              is used in the SecurityContext.
+            nullable: true
+            properties:
+              ranges:
+                description: |-
+                  ranges are the allowed ranges of gids.  If you would like to force a single
+                  gid then supply a single range with the same start and end.
+                items:
+                  description: IDRange provides a min/max of an allowed range of IDs.
+                  properties:
+                    max:
+                      description: max is the end of the range, inclusive.
+                      format: int64
+                      type: integer
+                    min:
+                      description: min is the start of the range, inclusive.
+                      format: int64
+                      type: integer
+                  type: object
+                type: array
+                x-kubernetes-list-type: atomic
+              type:
+                description: type is the strategy that will dictate what RunAsGroup
+                  is used in the SecurityContext.
+                type: string
+            type: object
           runAsUser:
             description: runAsUser is the strategy that will dictate what RunAsUser
               is used in the SecurityContext.