ranges:
- max:
min:
diff --git a/api/protobuf-spec/github_com_openshift_api_security_v1.proto b/api/protobuf-spec/github_com_openshift_api_security_v1.proto
index ee508a8851c5..2823b9fb3809 100644
--- a/api/protobuf-spec/github_com_openshift_api_security_v1.proto
+++ b/api/protobuf-spec/github_com_openshift_api_security_v1.proto
@@ -281,6 +281,27 @@ message SecurityContextConstraints {
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
repeated string seccompProfiles = 20;
+
+ // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+ // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+ //
+ // Examples:
+ // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string allowedUnsafeSysctls = 24;
+
+ // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+ //
+ // Examples:
+ // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string forbiddenSysctls = 25;
}
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
diff --git a/api/swagger-spec/api-v1.json b/api/swagger-spec/api-v1.json
index fdcbd0293a1f..01589222218e 100644
--- a/api/swagger-spec/api-v1.json
+++ b/api/swagger-spec/api-v1.json
@@ -23552,6 +23552,20 @@
"type": "string"
},
"description": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default."
+ },
+ "allowedUnsafeSysctls": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."
+ },
+ "forbiddenSysctls": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
}
}
},
diff --git a/api/swagger-spec/openshift-openapi-spec.json b/api/swagger-spec/openshift-openapi-spec.json
index 58b5c5564881..30c3a5116e7d 100644
--- a/api/swagger-spec/openshift-openapi-spec.json
+++ b/api/swagger-spec/openshift-openapi-spec.json
@@ -118410,6 +118410,13 @@
"$ref": "#/definitions/com.github.openshift.api.security.v1.AllowedFlexVolume"
}
},
+ "allowedUnsafeSysctls": {
+ "description": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
"type": "string"
@@ -118425,6 +118432,13 @@
"description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
"type": "boolean"
},
+ "forbiddenSysctls": {
+ "description": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
"fsGroup": {
"description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"$ref": "#/definitions/com.github.openshift.api.security.v1.FSGroupStrategyOptions"
diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go
index f56dfc230c0f..1ef1f901c9c6 100644
--- a/pkg/openapi/zz_generated.openapi.go
+++ b/pkg/openapi/zz_generated.openapi.go
@@ -11638,6 +11638,34 @@ func schema_openshift_api_security_v1_SecurityContextConstraints(ref common.Refe
},
},
},
+ "allowedUnsafeSysctls": {
+ SchemaProps: spec.SchemaProps{
+ Description: "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ },
+ },
+ "forbiddenSysctls": {
+ SchemaProps: spec.SchemaProps{
+ Description: "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ },
+ },
},
Required: []string{"priority", "allowPrivilegedContainer", "defaultAddCapabilities", "requiredDropCapabilities", "allowedCapabilities", "allowHostDirVolumePlugin", "volumes", "allowHostNetwork", "allowHostPorts", "allowHostPID", "allowHostIPC", "readOnlyRootFilesystem"},
},
diff --git a/pkg/security/apis/security/v1/zz_generated.conversion.go b/pkg/security/apis/security/v1/zz_generated.conversion.go
index c1691643c7dd..3f40feb37aa3 100644
--- a/pkg/security/apis/security/v1/zz_generated.conversion.go
+++ b/pkg/security/apis/security/v1/zz_generated.conversion.go
@@ -523,6 +523,8 @@ func autoConvert_v1_SecurityContextConstraints_To_security_SecurityContextConstr
out.Users = *(*[]string)(unsafe.Pointer(&in.Users))
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
out.SeccompProfiles = *(*[]string)(unsafe.Pointer(&in.SeccompProfiles))
+ out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
+ out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}
@@ -557,6 +559,8 @@ func autoConvert_security_SecurityContextConstraints_To_v1_SecurityContextConstr
out.SeccompProfiles = *(*[]string)(unsafe.Pointer(&in.SeccompProfiles))
out.Users = *(*[]string)(unsafe.Pointer(&in.Users))
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
+ out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
+ out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}
diff --git a/pkg/security/apis/security/zz_generated.deepcopy.go b/pkg/security/apis/security/zz_generated.deepcopy.go
index f3bed48970e0..b6912ef440cf 100644
--- a/pkg/security/apis/security/zz_generated.deepcopy.go
+++ b/pkg/security/apis/security/zz_generated.deepcopy.go
@@ -461,6 +461,16 @@ func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstrain
*out = make([]string, len(*in))
copy(*out, *in)
}
+ if in.AllowedUnsafeSysctls != nil {
+ in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.ForbiddenSysctls != nil {
+ in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
return
}