@@ -2387,6 +2387,168 @@ spec:
23872387 type : string
23882388 type : object
23892389 type : array
2390+ securityContext :
2391+ description : SecurityContext holds security configuration that will
2392+ be applied to a container. Some fields are present in both SecurityContext
2393+ and PodSecurityContext. When both are set, the values in SecurityContext
2394+ take precedence.
2395+ properties :
2396+ allowPrivilegeEscalation :
2397+ description : ' AllowPrivilegeEscalation controls whether a process
2398+ can gain more privileges than its parent process. This bool
2399+ directly controls if the no_new_privs flag will be set on the
2400+ container process. AllowPrivilegeEscalation is true always when
2401+ the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN
2402+ Note that this field cannot be set when spec.os.name is windows.'
2403+ type : boolean
2404+ capabilities :
2405+ description : The capabilities to add/drop when running containers.
2406+ Defaults to the default set of capabilities granted by the container
2407+ runtime. Note that this field cannot be set when spec.os.name
2408+ is windows.
2409+ properties :
2410+ add :
2411+ description : Added capabilities
2412+ items :
2413+ description : Capability represent POSIX capabilities type
2414+ type : string
2415+ type : array
2416+ drop :
2417+ description : Removed capabilities
2418+ items :
2419+ description : Capability represent POSIX capabilities type
2420+ type : string
2421+ type : array
2422+ type : object
2423+ privileged :
2424+ description : Run container in privileged mode. Processes in privileged
2425+ containers are essentially equivalent to root on the host. Defaults
2426+ to false. Note that this field cannot be set when spec.os.name
2427+ is windows.
2428+ type : boolean
2429+ procMount :
2430+ description : procMount denotes the type of proc mount to use for
2431+ the containers. The default is DefaultProcMount which uses the
2432+ container runtime defaults for readonly paths and masked paths.
2433+ This requires the ProcMountType feature flag to be enabled.
2434+ Note that this field cannot be set when spec.os.name is windows.
2435+ type : string
2436+ readOnlyRootFilesystem :
2437+ description : Whether this container has a read-only root filesystem.
2438+ Default is false. Note that this field cannot be set when spec.os.name
2439+ is windows.
2440+ type : boolean
2441+ runAsGroup :
2442+ description : The GID to run the entrypoint of the container process.
2443+ Uses runtime default if unset. May also be set in PodSecurityContext. If
2444+ set in both SecurityContext and PodSecurityContext, the value
2445+ specified in SecurityContext takes precedence. Note that this
2446+ field cannot be set when spec.os.name is windows.
2447+ format : int64
2448+ type : integer
2449+ runAsNonRoot :
2450+ description : Indicates that the container must run as a non-root
2451+ user. If true, the Kubelet will validate the image at runtime
2452+ to ensure that it does not run as UID 0 (root) and fail to start
2453+ the container if it does. If unset or false, no such validation
2454+ will be performed. May also be set in PodSecurityContext. If
2455+ set in both SecurityContext and PodSecurityContext, the value
2456+ specified in SecurityContext takes precedence.
2457+ type : boolean
2458+ runAsUser :
2459+ description : The UID to run the entrypoint of the container process.
2460+ Defaults to user specified in image metadata if unspecified.
2461+ May also be set in PodSecurityContext. If set in both SecurityContext
2462+ and PodSecurityContext, the value specified in SecurityContext
2463+ takes precedence. Note that this field cannot be set when spec.os.name
2464+ is windows.
2465+ format : int64
2466+ type : integer
2467+ seLinuxOptions :
2468+ description : The SELinux context to be applied to the container.
2469+ If unspecified, the container runtime will allocate a random
2470+ SELinux context for each container. May also be set in PodSecurityContext. If
2471+ set in both SecurityContext and PodSecurityContext, the value
2472+ specified in SecurityContext takes precedence. Note that this
2473+ field cannot be set when spec.os.name is windows.
2474+ properties :
2475+ level :
2476+ description : Level is SELinux level label that applies to
2477+ the container.
2478+ type : string
2479+ role :
2480+ description : Role is a SELinux role label that applies to
2481+ the container.
2482+ type : string
2483+ type :
2484+ description : Type is a SELinux type label that applies to
2485+ the container.
2486+ type : string
2487+ user :
2488+ description : User is a SELinux user label that applies to
2489+ the container.
2490+ type : string
2491+ type : object
2492+ seccompProfile :
2493+ description : The seccomp options to use by this container. If
2494+ seccomp options are provided at both the pod & container level,
2495+ the container options override the pod options. Note that this
2496+ field cannot be set when spec.os.name is windows.
2497+ properties :
2498+ localhostProfile :
2499+ description : localhostProfile indicates a profile defined
2500+ in a file on the node should be used. The profile must be
2501+ preconfigured on the node to work. Must be a descending
2502+ path, relative to the kubelet's configured seccomp profile
2503+ location. Must only be set if type is "Localhost".
2504+ type : string
2505+ type :
2506+ description : " type indicates which kind of seccomp profile
2507+ will be applied. Valid options are: \n Localhost - a profile
2508+ defined in a file on the node should be used. RuntimeDefault
2509+ - the container runtime default profile should be used.
2510+ Unconfined - no profile should be applied."
2511+ type : string
2512+ required :
2513+ - type
2514+ type : object
2515+ windowsOptions :
2516+ description : The Windows specific settings applied to all containers.
2517+ If unspecified, the options from the PodSecurityContext will
2518+ be used. If set in both SecurityContext and PodSecurityContext,
2519+ the value specified in SecurityContext takes precedence. Note
2520+ that this field cannot be set when spec.os.name is linux.
2521+ properties :
2522+ gmsaCredentialSpec :
2523+ description : GMSACredentialSpec is where the GMSA admission
2524+ webhook (https://github.com/kubernetes-sigs/windows-gmsa)
2525+ inlines the contents of the GMSA credential spec named by
2526+ the GMSACredentialSpecName field.
2527+ type : string
2528+ gmsaCredentialSpecName :
2529+ description : GMSACredentialSpecName is the name of the GMSA
2530+ credential spec to use.
2531+ type : string
2532+ hostProcess :
2533+ description : HostProcess determines if a container should
2534+ be run as a 'Host Process' container. This field is alpha-level
2535+ and will only be honored by components that enable the WindowsHostProcessContainers
2536+ feature flag. Setting this field without the feature flag
2537+ will result in errors when validating the Pod. All of a
2538+ Pod's containers must have the same effective HostProcess
2539+ value (it is not allowed to have a mix of HostProcess containers
2540+ and non-HostProcess containers). In addition, if HostProcess
2541+ is true then HostNetwork must also be set to true.
2542+ type : boolean
2543+ runAsUserName :
2544+ description : The UserName in Windows to run the entrypoint
2545+ of the container process. Defaults to the user specified
2546+ in image metadata if unspecified. May also be set in PodSecurityContext.
2547+ If set in both SecurityContext and PodSecurityContext, the
2548+ value specified in SecurityContext takes precedence.
2549+ type : string
2550+ type : object
2551+ type : object
23902552 serverlessResources :
23912553 description : (Optional) If specified, created database will be "serverless".
23922554 properties :
0 commit comments