1
0
Fork 0
mirror of https://github.com/arangodb/kube-arangodb.git synced 2024-12-14 11:57:37 +00:00

[Feature] Expose core.PodSecurityContext Sysctl options (#1360)

This commit is contained in:
Adam Janikowski 2023-07-20 13:25:54 +02:00 committed by GitHub
parent 8b6395a647
commit 2bd002e7f6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 439 additions and 88 deletions

3
.gitattributes vendored
View file

@ -1,2 +1,3 @@
pkg/generated/** linguist-generated pkg/generated/** linguist-generated
**/zz_generated.deepcopy.go linguist-generated **/zz_generated.deepcopy.go linguist-generated
pkg/api/** linguist-generated

View file

@ -4,6 +4,7 @@
- (Feature) Backup lifetime - remove Backup once its lifetime has been reached - (Feature) Backup lifetime - remove Backup once its lifetime has been reached
- (Feature) Add Feature dependency - (Feature) Add Feature dependency
- (Feature) Run secured containers as a feature - (Feature) Run secured containers as a feature
- (Feature) Expose core.PodSecurityContext Sysctl options
## [1.2.31](https://github.com/arangodb/kube-arangodb/tree/1.2.31) (2023-07-14) ## [1.2.31](https://github.com/arangodb/kube-arangodb/tree/1.2.31) (2023-07-14)
- (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode - (Improvement) Block traffic on the services if there is more than 1 active leader in ActiveFailover mode

View file

@ -327,11 +327,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.agents.securityContext.allowPrivilegeEscalation: bool ### .spec.agents.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.agents.securityContext.dropAllCapabilities: bool ### .spec.agents.securityContext.dropAllCapabilities: bool
@ -339,31 +339,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.agents.securityContext.fsGroup: int64 ### .spec.agents.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.agents.securityContext.privileged: bool ### .spec.agents.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.agents.securityContext.readOnlyRootFilesystem: bool ### .spec.agents.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.agents.securityContext.runAsGroup: int64 ### .spec.agents.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.agents.securityContext.runAsNonRoot: bool ### .spec.agents.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.agents.securityContext.runAsUser: int64 ### .spec.agents.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.agents.securityContext.seccompProfile: core.SeccompProfile ### .spec.agents.securityContext.seccompProfile: core.SeccompProfile
@ -372,7 +372,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.agents.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.agents.securityContext.seLinuxOptions: core.SELinuxOptions
@ -381,11 +381,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.agents.securityContext.supplementalGroups: []int64 ### .spec.agents.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.agents.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.agents.serviceAccountName: string ### .spec.agents.serviceAccountName: string
@ -917,11 +938,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.coordinators.securityContext.allowPrivilegeEscalation: bool ### .spec.coordinators.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.coordinators.securityContext.dropAllCapabilities: bool ### .spec.coordinators.securityContext.dropAllCapabilities: bool
@ -929,31 +950,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.coordinators.securityContext.fsGroup: int64 ### .spec.coordinators.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.coordinators.securityContext.privileged: bool ### .spec.coordinators.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.coordinators.securityContext.readOnlyRootFilesystem: bool ### .spec.coordinators.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.coordinators.securityContext.runAsGroup: int64 ### .spec.coordinators.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.coordinators.securityContext.runAsNonRoot: bool ### .spec.coordinators.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.coordinators.securityContext.runAsUser: int64 ### .spec.coordinators.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.coordinators.securityContext.seccompProfile: core.SeccompProfile ### .spec.coordinators.securityContext.seccompProfile: core.SeccompProfile
@ -962,7 +983,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.coordinators.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.coordinators.securityContext.seLinuxOptions: core.SELinuxOptions
@ -971,11 +992,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.coordinators.securityContext.supplementalGroups: []int64 ### .spec.coordinators.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.coordinators.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.coordinators.serviceAccountName: string ### .spec.coordinators.serviceAccountName: string
@ -1439,11 +1481,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.dbservers.securityContext.allowPrivilegeEscalation: bool ### .spec.dbservers.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.dbservers.securityContext.dropAllCapabilities: bool ### .spec.dbservers.securityContext.dropAllCapabilities: bool
@ -1451,31 +1493,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.dbservers.securityContext.fsGroup: int64 ### .spec.dbservers.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.dbservers.securityContext.privileged: bool ### .spec.dbservers.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.dbservers.securityContext.readOnlyRootFilesystem: bool ### .spec.dbservers.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.dbservers.securityContext.runAsGroup: int64 ### .spec.dbservers.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.dbservers.securityContext.runAsNonRoot: bool ### .spec.dbservers.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.dbservers.securityContext.runAsUser: int64 ### .spec.dbservers.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.dbservers.securityContext.seccompProfile: core.SeccompProfile ### .spec.dbservers.securityContext.seccompProfile: core.SeccompProfile
@ -1484,7 +1526,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.dbservers.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.dbservers.securityContext.seLinuxOptions: core.SELinuxOptions
@ -1493,11 +1535,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.dbservers.securityContext.supplementalGroups: []int64 ### .spec.dbservers.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.dbservers.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.dbservers.serviceAccountName: string ### .spec.dbservers.serviceAccountName: string
@ -1748,11 +1811,11 @@ Code Reference: [server_id_group_spec.go:56](/pkg/apis/deployment/v1/server_id_g
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.id.securityContext.allowPrivilegeEscalation: bool ### .spec.id.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.id.securityContext.dropAllCapabilities: bool ### .spec.id.securityContext.dropAllCapabilities: bool
@ -1760,31 +1823,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.id.securityContext.fsGroup: int64 ### .spec.id.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.id.securityContext.privileged: bool ### .spec.id.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.id.securityContext.readOnlyRootFilesystem: bool ### .spec.id.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.id.securityContext.runAsGroup: int64 ### .spec.id.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.id.securityContext.runAsNonRoot: bool ### .spec.id.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.id.securityContext.runAsUser: int64 ### .spec.id.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.id.securityContext.seccompProfile: core.SeccompProfile ### .spec.id.securityContext.seccompProfile: core.SeccompProfile
@ -1793,7 +1856,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.id.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.id.securityContext.seLinuxOptions: core.SELinuxOptions
@ -1802,11 +1865,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.id.securityContext.supplementalGroups: []int64 ### .spec.id.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.id.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.id.serviceAccountName: string ### .spec.id.serviceAccountName: string
@ -2290,11 +2374,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.single.securityContext.allowPrivilegeEscalation: bool ### .spec.single.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.single.securityContext.dropAllCapabilities: bool ### .spec.single.securityContext.dropAllCapabilities: bool
@ -2302,31 +2386,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.single.securityContext.fsGroup: int64 ### .spec.single.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.single.securityContext.privileged: bool ### .spec.single.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.single.securityContext.readOnlyRootFilesystem: bool ### .spec.single.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.single.securityContext.runAsGroup: int64 ### .spec.single.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.single.securityContext.runAsNonRoot: bool ### .spec.single.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.single.securityContext.runAsUser: int64 ### .spec.single.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.single.securityContext.seccompProfile: core.SeccompProfile ### .spec.single.securityContext.seccompProfile: core.SeccompProfile
@ -2335,7 +2419,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.single.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.single.securityContext.seLinuxOptions: core.SELinuxOptions
@ -2344,11 +2428,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.single.securityContext.supplementalGroups: []int64 ### .spec.single.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.single.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.single.serviceAccountName: string ### .spec.single.serviceAccountName: string
@ -2902,11 +3007,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.syncmasters.securityContext.allowPrivilegeEscalation: bool ### .spec.syncmasters.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.syncmasters.securityContext.dropAllCapabilities: bool ### .spec.syncmasters.securityContext.dropAllCapabilities: bool
@ -2914,31 +3019,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.syncmasters.securityContext.fsGroup: int64 ### .spec.syncmasters.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.syncmasters.securityContext.privileged: bool ### .spec.syncmasters.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.syncmasters.securityContext.readOnlyRootFilesystem: bool ### .spec.syncmasters.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.syncmasters.securityContext.runAsGroup: int64 ### .spec.syncmasters.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.syncmasters.securityContext.runAsNonRoot: bool ### .spec.syncmasters.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.syncmasters.securityContext.runAsUser: int64 ### .spec.syncmasters.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.syncmasters.securityContext.seccompProfile: core.SeccompProfile ### .spec.syncmasters.securityContext.seccompProfile: core.SeccompProfile
@ -2947,7 +3052,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.syncmasters.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.syncmasters.securityContext.seLinuxOptions: core.SELinuxOptions
@ -2956,11 +3061,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.syncmasters.securityContext.supplementalGroups: []int64 ### .spec.syncmasters.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.syncmasters.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.syncmasters.serviceAccountName: string ### .spec.syncmasters.serviceAccountName: string
@ -3418,11 +3544,11 @@ Code Reference: [server_group_spec.go:82](/pkg/apis/deployment/v1/server_group_s
AddCapabilities add new capabilities to containers AddCapabilities add new capabilities to containers
Code Reference: [server_group_security_context_spec.go:42](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L42) Code Reference: [server_group_security_context_spec.go:43](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L43)
### .spec.syncworkers.securityContext.allowPrivilegeEscalation: bool ### .spec.syncworkers.securityContext.allowPrivilegeEscalation: bool
Code Reference: [server_group_security_context_spec.go:44](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L44) Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45)
### .spec.syncworkers.securityContext.dropAllCapabilities: bool ### .spec.syncworkers.securityContext.dropAllCapabilities: bool
@ -3430,31 +3556,31 @@ DropAllCapabilities specifies if capabilities should be dropped for this pod con
Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0. Deprecated: This field is added for backward compatibility. Will be removed in 1.1.0.
Code Reference: [server_group_security_context_spec.go:40](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L40) Code Reference: [server_group_security_context_spec.go:41](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L41)
### .spec.syncworkers.securityContext.fsGroup: int64 ### .spec.syncworkers.securityContext.fsGroup: int64
Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52) Code Reference: [server_group_security_context_spec.go:53](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L53)
### .spec.syncworkers.securityContext.privileged: bool ### .spec.syncworkers.securityContext.privileged: bool
Code Reference: [server_group_security_context_spec.go:45](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L45) Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46)
### .spec.syncworkers.securityContext.readOnlyRootFilesystem: bool ### .spec.syncworkers.securityContext.readOnlyRootFilesystem: bool
Code Reference: [server_group_security_context_spec.go:46](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L46) Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47)
### .spec.syncworkers.securityContext.runAsGroup: int64 ### .spec.syncworkers.securityContext.runAsGroup: int64
Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49) Code Reference: [server_group_security_context_spec.go:50](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L50)
### .spec.syncworkers.securityContext.runAsNonRoot: bool ### .spec.syncworkers.securityContext.runAsNonRoot: bool
Code Reference: [server_group_security_context_spec.go:47](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L47) Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48)
### .spec.syncworkers.securityContext.runAsUser: int64 ### .spec.syncworkers.securityContext.runAsUser: int64
Code Reference: [server_group_security_context_spec.go:48](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L48) Code Reference: [server_group_security_context_spec.go:49](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L49)
### .spec.syncworkers.securityContext.seccompProfile: core.SeccompProfile ### .spec.syncworkers.securityContext.seccompProfile: core.SeccompProfile
@ -3463,7 +3589,7 @@ SeccompProfile defines a pod/container's seccomp profile settings. Only one prof
Links: Links:
* [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core) * [Documentation of core.SeccompProfile](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core)
Code Reference: [server_group_security_context_spec.go:57](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L57) Code Reference: [server_group_security_context_spec.go:69](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L69)
### .spec.syncworkers.securityContext.seLinuxOptions: core.SELinuxOptions ### .spec.syncworkers.securityContext.seLinuxOptions: core.SELinuxOptions
@ -3472,11 +3598,32 @@ SELinuxOptions are the labels to be applied to the container
Links: Links:
* [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core) * [Documentation of core.SELinuxOptions](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#selinuxoptions-v1-core)
Code Reference: [server_group_security_context_spec.go:62](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L62) Code Reference: [server_group_security_context_spec.go:74](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L74)
### .spec.syncworkers.securityContext.supplementalGroups: []int64 ### .spec.syncworkers.securityContext.supplementalGroups: []int64
Code Reference: [server_group_security_context_spec.go:51](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L51) Code Reference: [server_group_security_context_spec.go:52](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L52)
### .spec.syncworkers.securityContext.sysctls: map[string]intstr.IntOrString
Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
sysctls (by the container runtime) might fail to launch.
Map Value can be String or Int
Links:
* [Documentation](https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/)
Example:
```yaml
sysctls:
"kernel.shm_rmid_forced": "0"
"net.core.somaxconn": 1024
"kernel.msgmax": "65536"
```
Code Reference: [server_group_security_context_spec.go:64](/pkg/apis/deployment/v1/server_group_security_context_spec.go#L64)
### .spec.syncworkers.serviceAccountName: string ### .spec.syncworkers.serviceAccountName: string

View file

@ -21,7 +21,10 @@
package v1 package v1
import ( import (
"sort"
core "k8s.io/api/core/v1" core "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util"
) )
@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct {
SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
FSGroup *int64 `json:"fsGroup,omitempty"` FSGroup *int64 `json:"fsGroup,omitempty"`
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// Map Value can be String or Int
// +doc/example: sysctls:
// +doc/example: "kernel.shm_rmid_forced": "0"
// +doc/example: "net.core.somaxconn": 1024
// +doc/example: "kernel.msgmax": "65536"
// +doc/type: map[string]intstr.IntOrString
// +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"`
// SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. // SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
// +doc/type: core.SeccompProfile // +doc/type: core.SeccompProfile
// +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core // +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core
@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
} }
} }
if s != nil && len(s.Sysctls) > 0 {
var sysctls []core.Sysctl
for k, v := range s.Sysctls {
sysctls = append(sysctls, core.Sysctl{
Name: k,
Value: v.String(),
})
}
sort.Slice(sysctls, func(i, j int) bool {
return sysctls[i].Name < sysctls[j].Name
})
if psc == nil {
psc = &core.PodSecurityContext{}
}
psc.Sysctls = sysctls
}
if secured { if secured {
if psc == nil { if psc == nil {
psc = &core.PodSecurityContext{} psc = &core.PodSecurityContext{}

View file

@ -21,10 +21,13 @@
package v1 package v1
import ( import (
"encoding/json"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
core "k8s.io/api/core/v1" core "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util"
) )
@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
SupplementalGroups: []int64{1}, SupplementalGroups: []int64{1},
}, },
}, },
"pass sysctl opts": {
sc: &ServerGroupSpecSecurityContext{
Sysctls: map[string]intstr.IntOrString{
"opt.1": intstr.FromInt(1),
"opt.2": intstr.FromString("2"),
},
},
secured: false,
want: &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "opt.1",
Value: "1",
},
{
Name: "opt.2",
Value: "2",
},
},
},
},
} }
for testName, testCase := range testCases { for testName, testCase := range testCases {
@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
} }
} }
func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) {
testCases := map[string]struct {
sc string
secured bool
want *core.PodSecurityContext
}{
"pass sysctl opts": {
sc: `{"sysctls":{"opt.1":1, "opt.2":"2"}}`,
secured: false,
want: &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "opt.1",
Value: "1",
},
{
Name: "opt.2",
Value: "2",
},
},
},
},
}
for testName, testCase := range testCases {
t.Run(testName, func(t *testing.T) {
var p ServerGroupSpecSecurityContext
require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p))
actual := p.NewPodSecurityContext(testCase.secured)
assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
})
}
}
func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
sc *ServerGroupSpecSecurityContext sc *ServerGroupSpecSecurityContext

View file

@ -1,7 +1,7 @@
// //
// DISCLAIMER // DISCLAIMER
// //
// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany // Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.

View file

@ -32,6 +32,7 @@ import (
corev1 "k8s.io/api/core/v1" corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
intstr "k8s.io/apimachinery/pkg/util/intstr"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@ -2576,6 +2577,13 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
*out = new(int64) *out = new(int64)
**out = **in **out = **in
} }
if in.Sysctls != nil {
in, out := &in.Sysctls, &out.Sysctls
*out = make(map[string]intstr.IntOrString, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.SeccompProfile != nil { if in.SeccompProfile != nil {
in, out := &in.SeccompProfile, &out.SeccompProfile in, out := &in.SeccompProfile, &out.SeccompProfile
*out = new(corev1.SeccompProfile) *out = new(corev1.SeccompProfile)

View file

@ -21,7 +21,10 @@
package v2alpha1 package v2alpha1
import ( import (
"sort"
core "k8s.io/api/core/v1" core "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util"
) )
@ -51,6 +54,17 @@ type ServerGroupSpecSecurityContext struct {
SupplementalGroups []int64 `json:"supplementalGroups,omitempty"` SupplementalGroups []int64 `json:"supplementalGroups,omitempty"`
FSGroup *int64 `json:"fsGroup,omitempty"` FSGroup *int64 `json:"fsGroup,omitempty"`
// Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
// sysctls (by the container runtime) might fail to launch.
// Map Value can be String or Int
// +doc/example: sysctls:
// +doc/example: "kernel.shm_rmid_forced": "0"
// +doc/example: "net.core.somaxconn": 1024
// +doc/example: "kernel.msgmax": "65536"
// +doc/type: map[string]intstr.IntOrString
// +doc/link: Documentation|https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/
Sysctls map[string]intstr.IntOrString `json:"sysctls,omitempty"`
// SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set. // SeccompProfile defines a pod/container's seccomp profile settings. Only one profile source may be set.
// +doc/type: core.SeccompProfile // +doc/type: core.SeccompProfile
// +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core // +doc/link: Documentation of core.SeccompProfile|https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.26/#seccompprofile-v1-core
@ -96,6 +110,26 @@ func (s *ServerGroupSpecSecurityContext) NewPodSecurityContext(secured bool) *co
} }
} }
if s != nil && len(s.Sysctls) > 0 {
var sysctls []core.Sysctl
for k, v := range s.Sysctls {
sysctls = append(sysctls, core.Sysctl{
Name: k,
Value: v.String(),
})
}
sort.Slice(sysctls, func(i, j int) bool {
return sysctls[i].Name < sysctls[j].Name
})
if psc == nil {
psc = &core.PodSecurityContext{}
}
psc.Sysctls = sysctls
}
if secured { if secured {
if psc == nil { if psc == nil {
psc = &core.PodSecurityContext{} psc = &core.PodSecurityContext{}

View file

@ -21,10 +21,13 @@
package v2alpha1 package v2alpha1
import ( import (
"encoding/json"
"testing" "testing"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
core "k8s.io/api/core/v1" core "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"github.com/arangodb/kube-arangodb/pkg/util" "github.com/arangodb/kube-arangodb/pkg/util"
) )
@ -76,6 +79,27 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
SupplementalGroups: []int64{1}, SupplementalGroups: []int64{1},
}, },
}, },
"pass sysctl opts": {
sc: &ServerGroupSpecSecurityContext{
Sysctls: map[string]intstr.IntOrString{
"opt.1": intstr.FromInt(1),
"opt.2": intstr.FromString("2"),
},
},
secured: false,
want: &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "opt.1",
Value: "1",
},
{
Name: "opt.2",
Value: "2",
},
},
},
},
} }
for testName, testCase := range testCases { for testName, testCase := range testCases {
@ -86,6 +110,41 @@ func TestServerGroupSpecSecurityContext_NewPodSecurityContext(t *testing.T) {
} }
} }
func TestServerGroupSpecSecurityContext_NewPodSecurityContextFromJSON(t *testing.T) {
testCases := map[string]struct {
sc string
secured bool
want *core.PodSecurityContext
}{
"pass sysctl opts": {
sc: `{"sysctls":{"opt.1":1, "opt.2":"2"}}`,
secured: false,
want: &core.PodSecurityContext{
Sysctls: []core.Sysctl{
{
Name: "opt.1",
Value: "1",
},
{
Name: "opt.2",
Value: "2",
},
},
},
},
}
for testName, testCase := range testCases {
t.Run(testName, func(t *testing.T) {
var p ServerGroupSpecSecurityContext
require.NoError(t, json.Unmarshal([]byte(testCase.sc), &p))
actual := p.NewPodSecurityContext(testCase.secured)
assert.Equalf(t, testCase.want, actual, "NewPodSecurityContext(%v)", testCase.secured)
})
}
}
func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) { func TestServerGroupSpecSecurityContext_NewSecurityContext(t *testing.T) {
tests := map[string]struct { tests := map[string]struct {
sc *ServerGroupSpecSecurityContext sc *ServerGroupSpecSecurityContext

View file

@ -1,7 +1,7 @@
// //
// DISCLAIMER // DISCLAIMER
// //
// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany // Copyright 2016-2023 ArangoDB GmbH, Cologne, Germany
// //
// Licensed under the Apache License, Version 2.0 (the "License"); // Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License. // you may not use this file except in compliance with the License.
@ -35,7 +35,7 @@ type Timeouts struct {
// MaintenanceGracePeriod action timeout // MaintenanceGracePeriod action timeout
MaintenanceGracePeriod *Timeout `json:"maintenanceGracePeriod,omitempty"` MaintenanceGracePeriod *Timeout `json:"maintenanceGracePeriod,omitempty"`
// Actions keep list of the actions timeouts. // Actions keep map of the actions timeouts.
// +doc/type: map[string]meta.Duration // +doc/type: map[string]meta.Duration
// +doc/link: List of supported action names|/docs/generated/actions.md // +doc/link: List of supported action names|/docs/generated/actions.md
// +doc/link: Definition of meta.Duration|https://github.com/kubernetes/apimachinery/blob/v0.26.6/pkg/apis/meta/v1/duration.go // +doc/link: Definition of meta.Duration|https://github.com/kubernetes/apimachinery/blob/v0.26.6/pkg/apis/meta/v1/duration.go

View file

@ -32,6 +32,7 @@ import (
v1 "k8s.io/api/core/v1" v1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
runtime "k8s.io/apimachinery/pkg/runtime" runtime "k8s.io/apimachinery/pkg/runtime"
intstr "k8s.io/apimachinery/pkg/util/intstr"
) )
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@ -2576,6 +2577,13 @@ func (in *ServerGroupSpecSecurityContext) DeepCopyInto(out *ServerGroupSpecSecur
*out = new(int64) *out = new(int64)
**out = **in **out = **in
} }
if in.Sysctls != nil {
in, out := &in.Sysctls, &out.Sysctls
*out = make(map[string]intstr.IntOrString, len(*in))
for key, val := range *in {
(*out)[key] = val
}
}
if in.SeccompProfile != nil { if in.SeccompProfile != nil {
in, out := &in.SeccompProfile, &out.SeccompProfile in, out := &in.SeccompProfile, &out.SeccompProfile
*out = new(v1.SeccompProfile) *out = new(v1.SeccompProfile)