diff --git a/features.md b/features.md
index b6b14d794a1..2241639bc0f 100644
--- a/features.md
+++ b/features.md
@@ -48,14 +48,11 @@
| OVNObservability| | | Enabled | Enabled | Enabled | Enabled |
| PinnedImages| | | Enabled | Enabled | Enabled | Enabled |
| PlatformOperators| | | Enabled | Enabled | Enabled | Enabled |
-| ProcMountType| | | Enabled | Enabled | Enabled | Enabled |
| RouteAdvertisements| | | Enabled | Enabled | Enabled | Enabled |
| SignatureStores| | | Enabled | Enabled | Enabled | Enabled |
| SigstoreImageVerification| | | Enabled | Enabled | Enabled | Enabled |
| TranslateStreamCloseWebsocketRequests| | | Enabled | Enabled | Enabled | Enabled |
| UpgradeStatus| | | Enabled | Enabled | Enabled | Enabled |
-| UserNamespacesPodSecurityStandards| | | Enabled | Enabled | Enabled | Enabled |
-| UserNamespacesSupport| | | Enabled | Enabled | Enabled | Enabled |
| VSphereConfigurableMaxAllowedBlockVolumesPerNode| | | Enabled | Enabled | Enabled | Enabled |
| VSphereHostVMGroupZonal| | | Enabled | Enabled | Enabled | Enabled |
| VSphereMultiDisk| | | Enabled | Enabled | Enabled | Enabled |
@@ -94,9 +91,12 @@
| OpenShiftPodSecurityAdmission| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| PersistentIPsForVirtualization| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| PrivateHostedZoneAWS| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
+| ProcMountType| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| RouteExternalCertificate| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| ServiceAccountTokenNodeBinding| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| SetEIPForNLBIngressController| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
+| UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
+| UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| VSphereDriverConfiguration| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| VSphereMultiVCenters| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| ValidatingAdmissionPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
diff --git a/features/features.go b/features/features.go
index 055e100ceb1..8057344ea0f 100644
--- a/features/features.go
+++ b/features/features.go
@@ -687,15 +687,18 @@ var (
contactPerson("haircommander").
productScope(kubernetes).
enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
- enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default).
mustRegister()
+ // Note: this feature is perma-alpha, but it is safe and desireable to enable.
+ // It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33.
+ // See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration
FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards").
reportProblemsToJiraComponent("Node").
contactPerson("haircommander").
productScope(kubernetes).
enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
- enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default).
mustRegister()
FeatureGateProcMountType = newFeatureGate("ProcMountType").
@@ -703,7 +706,7 @@ var (
contactPerson("haircommander").
productScope(kubernetes).
enhancementPR("https://github.com/kubernetes/enhancements/issues/4265").
- enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade).
+ enableIn(configv1.DevPreviewNoUpgrade, configv1.TechPreviewNoUpgrade, configv1.Default).
mustRegister()
FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks").
diff --git a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-Default.crd.yaml b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-Default.crd.yaml
deleted file mode 100644
index 2d171c6d853..00000000000
--- a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-Default.crd.yaml
+++ /dev/null
@@ -1,391 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/merged-by-featuregates: "true"
- include.release.openshift.io/ibm-cloud-managed: "true"
- include.release.openshift.io/self-managed-high-availability: "true"
- release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: Default
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true
diff --git a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-DevPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-DevPreviewNoUpgrade.crd.yaml
deleted file mode 100644
index 301329c8dd0..00000000000
--- a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-DevPreviewNoUpgrade.crd.yaml
+++ /dev/null
@@ -1,403 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/merged-by-featuregates: "true"
- include.release.openshift.io/ibm-cloud-managed: "true"
- include.release.openshift.io/self-managed-high-availability: "true"
- release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: DevPreviewNoUpgrade
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- userNamespaceLevel:
- default: AllowHostLevel
- description: |-
- userNamespaceLevel determines if the policy allows host users in containers.
- Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
- When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
- When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
- When omitted, the default value is "AllowHostLevel".
- enum:
- - AllowHostLevel
- - RequirePodLevel
- type: string
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true
diff --git a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-TechPreviewNoUpgrade.crd.yaml b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-TechPreviewNoUpgrade.crd.yaml
deleted file mode 100644
index a10601e8844..00000000000
--- a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-TechPreviewNoUpgrade.crd.yaml
+++ /dev/null
@@ -1,403 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/merged-by-featuregates: "true"
- include.release.openshift.io/ibm-cloud-managed: "true"
- include.release.openshift.io/self-managed-high-availability: "true"
- release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: TechPreviewNoUpgrade
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- userNamespaceLevel:
- default: AllowHostLevel
- description: |-
- userNamespaceLevel determines if the policy allows host users in containers.
- Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
- When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
- When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
- When omitted, the default value is "AllowHostLevel".
- enum:
- - AllowHostLevel
- - RequirePodLevel
- type: string
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true
diff --git a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
similarity index 99%
rename from payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml
rename to payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
index 9c7cb41f64a..dc14c04a53e 100644
--- a/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml
+++ b/payload-manifests/crds/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
@@ -7,7 +7,6 @@ metadata:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: CustomNoUpgrade
name: securitycontextconstraints.security.openshift.io
spec:
group: security.openshift.io
diff --git a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
index f2a9bf86186..bd4bb15e18d 100644
--- a/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-Hypershift-Default.yaml
@@ -145,9 +145,6 @@
{
"name": "PlatformOperators"
},
- {
- "name": "ProcMountType"
- },
{
"name": "RouteAdvertisements"
},
@@ -175,12 +172,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
@@ -297,6 +288,9 @@
{
"name": "PrivateHostedZoneAWS"
},
+ {
+ "name": "ProcMountType"
+ },
{
"name": "RouteExternalCertificate"
},
@@ -306,6 +300,12 @@
{
"name": "SetEIPForNLBIngressController"
},
+ {
+ "name": "UserNamespacesPodSecurityStandards"
+ },
+ {
+ "name": "UserNamespacesSupport"
+ },
{
"name": "VSphereDriverConfiguration"
},
diff --git a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
index 49b17aa4619..cd284b09e29 100644
--- a/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-SelfManagedHA-Default.yaml
@@ -145,9 +145,6 @@
{
"name": "PlatformOperators"
},
- {
- "name": "ProcMountType"
- },
{
"name": "RouteAdvertisements"
},
@@ -175,12 +172,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
@@ -297,6 +288,9 @@
{
"name": "PrivateHostedZoneAWS"
},
+ {
+ "name": "ProcMountType"
+ },
{
"name": "RouteExternalCertificate"
},
@@ -306,6 +300,12 @@
{
"name": "SetEIPForNLBIngressController"
},
+ {
+ "name": "UserNamespacesPodSecurityStandards"
+ },
+ {
+ "name": "UserNamespacesSupport"
+ },
{
"name": "VSphereDriverConfiguration"
},
diff --git a/security/v1/tests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml b/security/v1/tests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml
index cdffd05dfc6..b6ce5ac2fce 100644
--- a/security/v1/tests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml
+++ b/security/v1/tests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml
@@ -1,11 +1,9 @@
apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
name: "SecurityContextConstraints"
crdName: securitycontextconstraints.security.openshift.io
-featureGates:
-- -UserNamespacesPodSecurityStandards
tests:
onCreate:
- - name: Should be able to create a minimal SecurityContextConstraints
+ - name: Should be able to create a minimal SecurityContextConstraints with featuregate enabled
initial: |
apiVersion: security.openshift.io/v1
kind: SecurityContextConstraints
@@ -35,4 +33,73 @@ tests:
priority: 0
readOnlyRootFilesystem: false
requiredDropCapabilities: []
+ userNamespaceLevel: "AllowHostLevel"
+ volumes: []
+
+ - name: Should be able to set userNamespaceLevel to AllowHostLevel
+ initial: |
+ apiVersion: security.openshift.io/v1
+ kind: SecurityContextConstraints
+ userNamespaceLevel: "AllowHostLevel"
+ allowHostDirVolumePlugin: false
+ allowHostIPC: false
+ allowHostNetwork: false
+ allowHostPID: false
+ allowHostPorts: false
+ allowPrivilegedContainer: false
+ allowedCapabilities: []
+ defaultAddCapabilities: []
+ priority: 0
+ readOnlyRootFilesystem: false
+ requiredDropCapabilities: []
+ volumes: []
+ expected: |
+ apiVersion: security.openshift.io/v1
+ kind: SecurityContextConstraints
+ userNamespaceLevel: "AllowHostLevel"
+ allowHostDirVolumePlugin: false
+ allowHostIPC: false
+ allowHostNetwork: false
+ allowHostPID: false
+ allowHostPorts: false
+ allowPrivilegedContainer: false
+ allowedCapabilities: []
+ defaultAddCapabilities: []
+ priority: 0
+ readOnlyRootFilesystem: false
+ requiredDropCapabilities: []
+ volumes: []
+
+ - name: Should be able to set userNamespaceLevel to RequirePodLevel
+ initial: |
+ apiVersion: security.openshift.io/v1
+ kind: SecurityContextConstraints
+ userNamespaceLevel: "RequirePodLevel"
+ allowHostDirVolumePlugin: false
+ allowHostIPC: false
+ allowHostNetwork: false
+ allowHostPID: false
+ allowHostPorts: false
+ allowPrivilegedContainer: false
+ allowedCapabilities: []
+ defaultAddCapabilities: []
+ priority: 0
+ readOnlyRootFilesystem: false
+ requiredDropCapabilities: []
+ volumes: []
+ expected: |
+ apiVersion: security.openshift.io/v1
+ kind: SecurityContextConstraints
+ userNamespaceLevel: "RequirePodLevel"
+ allowHostDirVolumePlugin: false
+ allowHostIPC: false
+ allowHostNetwork: false
+ allowHostPID: false
+ allowHostPorts: false
+ allowPrivilegedContainer: false
+ allowedCapabilities: []
+ defaultAddCapabilities: []
+ priority: 0
+ readOnlyRootFilesystem: false
+ requiredDropCapabilities: []
volumes: []
diff --git a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-Default.crd.yaml b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-Default.crd.yaml
deleted file mode 100644
index 2d171c6d853..00000000000
--- a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-Default.crd.yaml
+++ /dev/null
@@ -1,391 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/merged-by-featuregates: "true"
- include.release.openshift.io/ibm-cloud-managed: "true"
- include.release.openshift.io/self-managed-high-availability: "true"
- release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: Default
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true
diff --git a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-DevPreviewNoUpgrade.crd.yaml b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-DevPreviewNoUpgrade.crd.yaml
deleted file mode 100644
index 301329c8dd0..00000000000
--- a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-DevPreviewNoUpgrade.crd.yaml
+++ /dev/null
@@ -1,403 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/merged-by-featuregates: "true"
- include.release.openshift.io/ibm-cloud-managed: "true"
- include.release.openshift.io/self-managed-high-availability: "true"
- release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: DevPreviewNoUpgrade
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- userNamespaceLevel:
- default: AllowHostLevel
- description: |-
- userNamespaceLevel determines if the policy allows host users in containers.
- Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
- When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
- When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
- When omitted, the default value is "AllowHostLevel".
- enum:
- - AllowHostLevel
- - RequirePodLevel
- type: string
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true
diff --git a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-TechPreviewNoUpgrade.crd.yaml b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-TechPreviewNoUpgrade.crd.yaml
deleted file mode 100644
index a10601e8844..00000000000
--- a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-TechPreviewNoUpgrade.crd.yaml
+++ /dev/null
@@ -1,403 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/merged-by-featuregates: "true"
- include.release.openshift.io/ibm-cloud-managed: "true"
- include.release.openshift.io/self-managed-high-availability: "true"
- release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: TechPreviewNoUpgrade
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- userNamespaceLevel:
- default: AllowHostLevel
- description: |-
- userNamespaceLevel determines if the policy allows host users in containers.
- Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
- When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
- When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
- When omitted, the default value is "AllowHostLevel".
- enum:
- - AllowHostLevel
- - RequirePodLevel
- type: string
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true
diff --git a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
similarity index 99%
rename from security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml
rename to security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
index 9c7cb41f64a..dc14c04a53e 100644
--- a/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints-CustomNoUpgrade.crd.yaml
+++ b/security/v1/zz_generated.crd-manifests/0000_03_config-operator_01_securitycontextconstraints.crd.yaml
@@ -7,7 +7,6 @@ metadata:
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
release.openshift.io/bootstrap-required: "true"
- release.openshift.io/feature-set: CustomNoUpgrade
name: securitycontextconstraints.security.openshift.io
spec:
group: security.openshift.io