Pod Security

// PodSecurityContext holds pod-level security attributes and common container settings.
// Some fields are also present in container.securityContext.  Field values of
// container.securityContext take precedence over field values of PodSecurityContext.
type PodSecurityContext struct {
    // The SELinux context to be applied to all containers.
    // If unspecified, the container runtime will allocate a random SELinux context for each
    // container.  May also be set in SecurityContext.  If set in
    // both SecurityContext and PodSecurityContext, the value specified in SecurityContext
    // takes precedence for that container.
    // +optional
    SELinuxOptions *SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,1,opt,name=seLinuxOptions"`
    // The Windows specific settings applied to all containers.
    // If unspecified, the options within a container's SecurityContext will be used.
    // If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
    // +optional
    WindowsOptions *WindowsSecurityContextOptions `json:"windowsOptions,omitempty" protobuf:"bytes,8,opt,name=windowsOptions"`
    // The UID to run the entrypoint of the container process.
    // Defaults to user specified in image metadata if unspecified.
    // May also be set in SecurityContext.  If set in both SecurityContext and
    // PodSecurityContext, the value specified in SecurityContext takes precedence
    // for that container.
    // +optional
    RunAsUser *int64 `json:"runAsUser,omitempty" protobuf:"varint,2,opt,name=runAsUser"`
    // The GID to run the entrypoint of the container process.
    // Uses runtime default if unset.
    // May also be set in SecurityContext.  If set in both SecurityContext and
    // PodSecurityContext, the value specified in SecurityContext takes precedence
    // for that container.
    // +optional
    RunAsGroup *int64 `json:"runAsGroup,omitempty" protobuf:"varint,6,opt,name=runAsGroup"`
    // Indicates that the container must run as a non-root user.
    // If true, the Kubelet will validate the image at runtime to ensure that it
    // does not run as UID 0 (root) and fail to start the container if it does.
    // If unset or false, no such validation will be performed.
    // May also be set in SecurityContext.  If set in both SecurityContext and
    // PodSecurityContext, the value specified in SecurityContext takes precedence.
    // +optional
    RunAsNonRoot *bool `json:"runAsNonRoot,omitempty" protobuf:"varint,3,opt,name=runAsNonRoot"`
    // A list of groups applied to the first process run in each container, in addition
    // to the container's primary GID.  If unspecified, no groups will be added to
    // any container.
    // +optional
    SupplementalGroups []int64 `json:"supplementalGroups,omitempty" protobuf:"varint,4,rep,name=supplementalGroups"`
    // A special supplemental group that applies to all containers in a pod.
    // Some volume types allow the Kubelet to change the ownership of that volume
    // to be owned by the pod:
    //
    // 1. The owning GID will be the FSGroup
    // 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
    // 3. The permission bits are OR'd with rw-rw----
    //
    // If unset, the Kubelet will not modify the ownership and permissions of any volume.
    // +optional
    FSGroup *int64 `json:"fsGroup,omitempty" protobuf:"varint,5,opt,name=fsGroup"`
    // Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
    // sysctls (by the container runtime) might fail to launch.
    // +optional
    Sysctls []Sysctl `json:"sysctls,omitempty" protobuf:"bytes,7,rep,name=sysctls"`
    // fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
    // before being exposed inside Pod. This field will only apply to
    // volume types which support fsGroup based ownership(and permissions).
    // It will have no effect on ephemeral volume types such as: secret, configmaps
    // and emptydir.
    // Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
    // +optional
    FSGroupChangePolicy *PodFSGroupChangePolicy `json:"fsGroupChangePolicy,omitempty" protobuf:"bytes,9,opt,name=fsGroupChangePolicy"`
    // The seccomp options to use by the containers in this pod.
    // +optional
    SeccompProfile *SeccompProfile `json:"seccompProfile,omitempty" protobuf:"bytes,10,opt,name=seccompProfile"`
}

// SELinuxOptions are the labels to be applied to the container
type SELinuxOptions struct {
    // User is a SELinux user label that applies to the container.
    // +optional
    User string `json:"user,omitempty" protobuf:"bytes,1,opt,name=user"`
    // Role is a SELinux role label that applies to the container.
    // +optional
    Role string `json:"role,omitempty" protobuf:"bytes,2,opt,name=role"`
    // Type is a SELinux type label that applies to the container.
    // +optional
    Type string `json:"type,omitempty" protobuf:"bytes,3,opt,name=type"`
    // Level is SELinux level label that applies to the container.
    // +optional
    Level string `json:"level,omitempty" protobuf:"bytes,4,opt,name=level"`
}

// WindowsSecurityContextOptions contain Windows-specific options and credentials.
type WindowsSecurityContextOptions struct {
    // GMSACredentialSpecName is the name of the GMSA credential spec to use.
    // +optional
    GMSACredentialSpecName *string `json:"gmsaCredentialSpecName,omitempty" protobuf:"bytes,1,opt,name=gmsaCredentialSpecName"`

    // GMSACredentialSpec is where the GMSA admission webhook
    // (https://github.com/kubernetes-sigs/windows-gmsa) inlines the contents of the
    // GMSA credential spec named by the GMSACredentialSpecName field.
    // +optional
    GMSACredentialSpec *string `json:"gmsaCredentialSpec,omitempty" protobuf:"bytes,2,opt,name=gmsaCredentialSpec"`

    // The UserName in Windows to run the entrypoint of the container process.
    // Defaults to the user specified in image metadata if unspecified.
    // May also be set in PodSecurityContext. If set in both SecurityContext and
    // PodSecurityContext, the value specified in SecurityContext takes precedence.
    // +optional
    RunAsUserName *string `json:"runAsUserName,omitempty" protobuf:"bytes,3,opt,name=runAsUserName"`

    // HostProcess determines if a container should be run as a 'Host Process' container.
    // This field is alpha-level and will only be honored by components that enable the
    // WindowsHostProcessContainers feature flag. Setting this field without the feature
    // flag will result in errors when validating the Pod. All of a Pod's containers must
    // have the same effective HostProcess value (it is not allowed to have a mix of HostProcess
    // containers and non-HostProcess containers).  In addition, if HostProcess is true
    // then HostNetwork must also be set to true.
    // +optional
    HostProcess *bool `json:"hostProcess,omitempty" protobuf:"bytes,4,opt,name=hostProcess"`
}

// Sysctl defines a kernel parameter to be set
type Sysctl struct {
    // Name of a property to set
    Name string `json:"name" protobuf:"bytes,1,opt,name=name"`
    // Value of a property to set
    Value string `json:"value" protobuf:"bytes,2,opt,name=value"`
}

// PodFSGroupChangePolicy holds policies that will be used for applying fsGroup to a volume
// when volume is mounted.
type PodFSGroupChangePolicy string

const (
    // FSGroupChangeOnRootMismatch indicates that volume's ownership and permissions will be changed
    // only when permission and ownership of root directory does not match with expected
    // permissions on the volume. This can help shorten the time it takes to change
    // ownership and permissions of a volume.
    FSGroupChangeOnRootMismatch PodFSGroupChangePolicy = "OnRootMismatch"
    // FSGroupChangeAlways indicates that volume's ownership and permissions
    // should always be changed whenever volume is mounted inside a Pod. This the default
    // behavior.
    FSGroupChangeAlways PodFSGroupChangePolicy = "Always"
)

// SeccompProfile defines a pod/container's seccomp profile settings.
// Only one profile source may be set.
// +union
type SeccompProfile struct {
    // type indicates which kind of seccomp profile will be applied.
    // Valid options are:
    //
    // Localhost - a profile defined in a file on the node should be used.
    // RuntimeDefault - the container runtime default profile should be used.
    // Unconfined - no profile should be applied.
    // +unionDiscriminator
    Type SeccompProfileType `json:"type" protobuf:"bytes,1,opt,name=type,casttype=SeccompProfileType"`
    // localhostProfile indicates a profile defined in a file on the node should be used.
    // The profile must be preconfigured on the node to work.
    // Must be a descending path, relative to the kubelet's configured seccomp profile location.
    // Must only be set if type is "Localhost".
    // +optional
    LocalhostProfile *string `json:"localhostProfile,omitempty" protobuf:"bytes,2,opt,name=localhostProfile"`
}

// SeccompProfileType defines the supported seccomp profile types.
type SeccompProfileType string

const (
    // SeccompProfileTypeUnconfined indicates no seccomp profile is applied (A.K.A. unconfined).
    SeccompProfileTypeUnconfined SeccompProfileType = "Unconfined"
    // SeccompProfileTypeRuntimeDefault represents the default container runtime seccomp profile.
    SeccompProfileTypeRuntimeDefault SeccompProfileType = "RuntimeDefault"
    // SeccompProfileTypeLocalhost indicates a profile defined in a file on the node should be used.
    // The file's location is based off the kubelet's deprecated flag --seccomp-profile-root.
    // Once the flag support is removed the location will be <kubelet-root-dir>/seccomp.
    SeccompProfileTypeLocalhost SeccompProfileType = "Localhost"
)