diff --git a/features.md b/features.md
index 35681a8b2cd..c17991f3092 100644
--- a/features.md
+++ b/features.md
@@ -113,7 +113,5 @@
| SigstoreImageVerificationPKI| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| StoragePerformantSecurityPolicy| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| UpgradeStatus| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
-| UserNamespacesPodSecurityStandards| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
-| UserNamespacesSupport| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| VSphereMultiDisk| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
| VSphereMultiNetworks| Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled | Enabled |
diff --git a/features/features.go b/features/features.go
index 0642c93bb60..9234418cee0 100644
--- a/features/features.go
+++ b/features/features.go
@@ -630,24 +630,6 @@ var (
enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
mustRegister()
- FeatureGateUserNamespacesSupport = newFeatureGate("UserNamespacesSupport").
- reportProblemsToJiraComponent("Node").
- contactPerson("haircommander").
- productScope(kubernetes).
- enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
- enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
- mustRegister()
-
- // Note: this feature is perma-alpha, but it is safe and desireable to enable.
- // It was an oversight in upstream to not remove the feature gate after the version skew became safe in 1.33.
- // See https://github.com/kubernetes/enhancements/tree/d4226c42/keps/sig-node/127-user-namespaces#pod-security-standards-pss-integration
- FeatureGateUserNamespacesPodSecurityStandards = newFeatureGate("UserNamespacesPodSecurityStandards").
- reportProblemsToJiraComponent("Node").
- contactPerson("haircommander").
- productScope(kubernetes).
- enhancementPR("https://github.com/kubernetes/enhancements/issues/127").
- enable(inDefault(), inOKD(), inTechPreviewNoUpgrade(), inDevPreviewNoUpgrade()).
- mustRegister()
FeatureGateVSphereMultiNetworks = newFeatureGate("VSphereMultiNetworks").
reportProblemsToJiraComponent("SPLAT").
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
index 71ac262af06..07d68079d2f 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-Default.yaml
@@ -355,12 +355,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereMultiDisk"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
index 355ee23d0ab..278eef68368 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-DevPreviewNoUpgrade.yaml
@@ -345,12 +345,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
index 4164e679458..c90c32325e5 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-OKD.yaml
@@ -357,12 +357,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereMultiDisk"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
index be23ec6c069..4a520920220 100644
--- a/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-Hypershift-TechPreviewNoUpgrade.yaml
@@ -345,12 +345,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
index b7119097752..4a4330db70a 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-Default.yaml
@@ -355,12 +355,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereMultiDisk"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
index c4e0496bdb6..fdd3f93d50c 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-DevPreviewNoUpgrade.yaml
@@ -345,12 +345,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
index d5abbb080a9..b4f97d60fd4 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-OKD.yaml
@@ -357,12 +357,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereMultiDisk"
},
diff --git a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
index c93fc78049a..9f611a7dd83 100644
--- a/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
+++ b/payload-manifests/featuregates/featureGate-4-10-SelfManagedHA-TechPreviewNoUpgrade.yaml
@@ -345,12 +345,6 @@
{
"name": "UpgradeStatus"
},
- {
- "name": "UserNamespacesPodSecurityStandards"
- },
- {
- "name": "UserNamespacesSupport"
- },
{
"name": "VSphereConfigurableMaxAllowedBlockVolumesPerNode"
},
diff --git a/security/v1/generated.proto b/security/v1/generated.proto
index 933de5450e1..56080beee9b 100644
--- a/security/v1/generated.proto
+++ b/security/v1/generated.proto
@@ -302,7 +302,6 @@ message SecurityContextConstraints {
// When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
// When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
// When omitted, the default value is "AllowHostLevel".
- // +openshift:enable:FeatureGate=UserNamespacesPodSecurityStandards
// +kubebuilder:validation:Enum="AllowHostLevel";"RequirePodLevel"
// +kubebuilder:default:="AllowHostLevel"
// +default="AllowHostLevel"
diff --git a/security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml b/security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
deleted file mode 100644
index 54694ff76c8..00000000000
--- a/security/v1/tests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
+++ /dev/null
@@ -1,107 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1 # Hack because controller-gen complains if we don't have this
-name: "SecurityContextConstraints"
-crdName: securitycontextconstraints.security.openshift.io
-featureGates:
-- UserNamespacesPodSecurityStandards
-tests:
- onCreate:
- - name: Should be able to create a minimal SecurityContextConstraints with featuregate enabled
- initial: |
- apiVersion: security.openshift.io/v1
- kind: SecurityContextConstraints
- allowHostDirVolumePlugin: false
- allowHostIPC: false
- allowHostNetwork: false
- allowHostPID: false
- allowHostPorts: false
- allowPrivilegedContainer: false
- allowedCapabilities: []
- defaultAddCapabilities: []
- priority: 0
- readOnlyRootFilesystem: false
- requiredDropCapabilities: []
- volumes: []
- expected: |
- apiVersion: security.openshift.io/v1
- kind: SecurityContextConstraints
- allowHostDirVolumePlugin: false
- allowHostIPC: false
- allowHostNetwork: false
- allowHostPID: false
- allowHostPorts: false
- allowPrivilegedContainer: false
- allowedCapabilities: []
- defaultAddCapabilities: []
- priority: 0
- readOnlyRootFilesystem: false
- requiredDropCapabilities: []
- userNamespaceLevel: "AllowHostLevel"
- volumes: []
-
- - name: Should be able to set userNamespaceLevel to AllowHostLevel
- initial: |
- apiVersion: security.openshift.io/v1
- kind: SecurityContextConstraints
- userNamespaceLevel: "AllowHostLevel"
- allowHostDirVolumePlugin: false
- allowHostIPC: false
- allowHostNetwork: false
- allowHostPID: false
- allowHostPorts: false
- allowPrivilegedContainer: false
- allowedCapabilities: []
- defaultAddCapabilities: []
- priority: 0
- readOnlyRootFilesystem: false
- requiredDropCapabilities: []
- volumes: []
- expected: |
- apiVersion: security.openshift.io/v1
- kind: SecurityContextConstraints
- userNamespaceLevel: "AllowHostLevel"
- allowHostDirVolumePlugin: false
- allowHostIPC: false
- allowHostNetwork: false
- allowHostPID: false
- allowHostPorts: false
- allowPrivilegedContainer: false
- allowedCapabilities: []
- defaultAddCapabilities: []
- priority: 0
- readOnlyRootFilesystem: false
- requiredDropCapabilities: []
- volumes: []
-
- - name: Should be able to set userNamespaceLevel to RequirePodLevel
- initial: |
- apiVersion: security.openshift.io/v1
- kind: SecurityContextConstraints
- userNamespaceLevel: "RequirePodLevel"
- allowHostDirVolumePlugin: false
- allowHostIPC: false
- allowHostNetwork: false
- allowHostPID: false
- allowHostPorts: false
- allowPrivilegedContainer: false
- allowedCapabilities: []
- defaultAddCapabilities: []
- priority: 0
- readOnlyRootFilesystem: false
- requiredDropCapabilities: []
- volumes: []
- expected: |
- apiVersion: security.openshift.io/v1
- kind: SecurityContextConstraints
- userNamespaceLevel: "RequirePodLevel"
- allowHostDirVolumePlugin: false
- allowHostIPC: false
- allowHostNetwork: false
- allowHostPID: false
- allowHostPorts: false
- allowPrivilegedContainer: false
- allowedCapabilities: []
- defaultAddCapabilities: []
- priority: 0
- readOnlyRootFilesystem: false
- requiredDropCapabilities: []
- volumes: []
diff --git a/security/v1/types.go b/security/v1/types.go
index fb491480d76..162cca3b078 100644
--- a/security/v1/types.go
+++ b/security/v1/types.go
@@ -103,7 +103,6 @@ type SecurityContextConstraints struct {
// When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
// When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
// When omitted, the default value is "AllowHostLevel".
- // +openshift:enable:FeatureGate=UserNamespacesPodSecurityStandards
// +kubebuilder:validation:Enum="AllowHostLevel";"RequirePodLevel"
// +kubebuilder:default:="AllowHostLevel"
// +default="AllowHostLevel"
diff --git a/security/v1/zz_generated.featuregated-crd-manifests.yaml b/security/v1/zz_generated.featuregated-crd-manifests.yaml
index 178c9707801..86f78058a24 100644
--- a/security/v1/zz_generated.featuregated-crd-manifests.yaml
+++ b/security/v1/zz_generated.featuregated-crd-manifests.yaml
@@ -5,8 +5,7 @@ securitycontextconstraints.security.openshift.io:
CRDName: securitycontextconstraints.security.openshift.io
Capability: ""
Category: ""
- FeatureGates:
- - UserNamespacesPodSecurityStandards
+ FeatureGates: []
FilenameOperatorName: config-operator
FilenameOperatorOrdering: "01"
FilenameRunLevel: "0000_03"
diff --git a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml
index 7316263d596..641c9bb7a9d 100644
--- a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml
+++ b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/AAA_ungated.yaml
@@ -353,6 +353,18 @@ spec:
groups is used in the SecurityContext.
type: string
type: object
+ userNamespaceLevel:
+ default: AllowHostLevel
+ description: |-
+ userNamespaceLevel determines if the policy allows host users in containers.
+ Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
+ When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
+ When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
+ When omitted, the default value is "AllowHostLevel".
+ enum:
+ - AllowHostLevel
+ - RequirePodLevel
+ type: string
users:
description: The users who have permissions to use this security context
constraints
diff --git a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml b/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
deleted file mode 100644
index dea8d21b21e..00000000000
--- a/security/v1/zz_generated.featuregated-crd-manifests/securitycontextconstraints.security.openshift.io/UserNamespacesPodSecurityStandards.yaml
+++ /dev/null
@@ -1,403 +0,0 @@
-apiVersion: apiextensions.k8s.io/v1
-kind: CustomResourceDefinition
-metadata:
- annotations:
- api-approved.openshift.io: https://github.com/openshift/api/pull/470
- api.openshift.io/filename-cvo-runlevel: "0000_03"
- api.openshift.io/filename-operator: config-operator
- api.openshift.io/filename-ordering: "01"
- feature-gate.release.openshift.io/UserNamespacesPodSecurityStandards: "true"
- release.openshift.io/bootstrap-required: "true"
- name: securitycontextconstraints.security.openshift.io
-spec:
- group: security.openshift.io
- names:
- kind: SecurityContextConstraints
- listKind: SecurityContextConstraintsList
- plural: securitycontextconstraints
- singular: securitycontextconstraints
- scope: Cluster
- versions:
- - additionalPrinterColumns:
- - description: Determines if a container can request to be run as privileged
- jsonPath: .allowPrivilegedContainer
- name: Priv
- type: string
- - description: A list of capabilities that can be requested to add to the container
- jsonPath: .allowedCapabilities
- name: Caps
- type: string
- - description: Strategy that will dictate what labels will be set in the SecurityContext
- jsonPath: .seLinuxContext.type
- name: SELinux
- type: string
- - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
- jsonPath: .runAsUser.type
- name: RunAsUser
- type: string
- - description: Strategy that will dictate what fs group is used by the SecurityContext
- jsonPath: .fsGroup.type
- name: FSGroup
- type: string
- - description: Strategy that will dictate what supplemental groups are used by
- the SecurityContext
- jsonPath: .supplementalGroups.type
- name: SupGroup
- type: string
- - description: Sort order of SCCs
- jsonPath: .priority
- name: Priority
- type: string
- - description: Force containers to run with a read only root file system
- jsonPath: .readOnlyRootFilesystem
- name: ReadOnlyRootFS
- type: string
- - description: White list of allowed volume plugins
- jsonPath: .volumes
- name: Volumes
- type: string
- name: v1
- schema:
- openAPIV3Schema:
- description: |-
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
- that will be applied to a container.
- For historical reasons SCC was exposed under the core Kubernetes API group.
- That exposure is deprecated and will be removed in a future release - users
- should instead use the security.openshift.io group to manage
- SecurityContextConstraints.
-
- Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- properties:
- allowHostDirVolumePlugin:
- description: allowHostDirVolumePlugin determines if the policy allow containers
- to use the HostDir volume plugin
- type: boolean
- allowHostIPC:
- description: allowHostIPC determines if the policy allows host ipc in
- the containers.
- type: boolean
- allowHostNetwork:
- description: allowHostNetwork determines if the policy allows the use
- of HostNetwork in the pod spec.
- type: boolean
- allowHostPID:
- description: allowHostPID determines if the policy allows host pid in
- the containers.
- type: boolean
- allowHostPorts:
- description: allowHostPorts determines if the policy allows host ports
- in the containers.
- type: boolean
- allowPrivilegeEscalation:
- description: |-
- allowPrivilegeEscalation determines if a pod can request to allow
- privilege escalation. If unspecified, defaults to true.
- nullable: true
- type: boolean
- allowPrivilegedContainer:
- description: allowPrivilegedContainer determines if a container can request
- to be run as privileged.
- type: boolean
- allowedCapabilities:
- description: |-
- allowedCapabilities is a list of capabilities that can be requested to add to the container.
- Capabilities in this field maybe added at the pod author's discretion.
- You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
- To allow all capabilities you may use '*'.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedFlexVolumes:
- description: |-
- allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
- Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
- is allowed in the "Volumes" field.
- items:
- description: AllowedFlexVolume represents a single Flexvolume that is
- allowed to be used.
- properties:
- driver:
- description: driver is the name of the Flexvolume driver.
- type: string
- required:
- - driver
- type: object
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- allowedUnsafeSysctls:
- description: |-
- allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
- Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
-
- Examples:
- e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
- e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- apiVersion:
- description: |-
- APIVersion defines the versioned schema of this representation of an object.
- Servers should convert recognized schemas to the latest internal value, and
- may reject unrecognized values.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
- type: string
- defaultAddCapabilities:
- description: |-
- defaultAddCapabilities is the default set of capabilities that will be added to the container
- unless the pod spec specifically drops the capability. You may not list a capabiility in both
- DefaultAddCapabilities and RequiredDropCapabilities.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- defaultAllowPrivilegeEscalation:
- description: |-
- defaultAllowPrivilegeEscalation controls the default setting for whether a
- process can gain more privileges than its parent process.
- nullable: true
- type: boolean
- forbiddenSysctls:
- description: |-
- forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
- Each entry is either a plain sysctl name or ends in "*" in which case it is considered
- as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
-
- Examples:
- e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
- e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- fsGroup:
- description: fsGroup is the strategy that will dictate what fs group is
- used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of fs groups. If you would like to force a single
- fs group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what FSGroup is
- used in the SecurityContext.
- type: string
- type: object
- groups:
- description: The groups that have permission to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- kind:
- description: |-
- Kind is a string value representing the REST resource this object represents.
- Servers may infer this from the endpoint the client submits requests to.
- Cannot be updated.
- In CamelCase.
- More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
- type: string
- metadata:
- type: object
- priority:
- description: |-
- priority influences the sort order of SCCs when evaluating which SCCs to try first for
- a given pod request based on access in the Users and Groups fields. The higher the int, the
- higher priority. An unset value is considered a 0 priority. If scores
- for multiple SCCs are equal they will be sorted from most restrictive to
- least restrictive. If both priorities and restrictions are equal the
- SCCs will be sorted by name.
- format: int32
- nullable: true
- type: integer
- readOnlyRootFilesystem:
- description: |-
- readOnlyRootFilesystem when set to true will force containers to run with a read only root file
- system. If the container specifically requests to run with a non-read only root file system
- the SCC should deny the pod.
- If set to false the container may run with a read only root file system if it wishes but it
- will not be forced to.
- type: boolean
- requiredDropCapabilities:
- description: |-
- requiredDropCapabilities are the capabilities that will be dropped from the container. These
- are required to be dropped and cannot be added.
- items:
- description: Capability represent POSIX capabilities type
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- runAsUser:
- description: runAsUser is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- nullable: true
- properties:
- type:
- description: type is the strategy that will dictate what RunAsUser
- is used in the SecurityContext.
- type: string
- uid:
- description: |-
- uid is the user id that containers must run as. Required for the MustRunAs strategy if not using
- namespace/service account allocated uids.
- format: int64
- type: integer
- uidRangeMax:
- description: uidRangeMax defines the max value for a strategy that
- allocates by range.
- format: int64
- type: integer
- uidRangeMin:
- description: uidRangeMin defines the min value for a strategy that
- allocates by range.
- format: int64
- type: integer
- type: object
- seLinuxContext:
- description: seLinuxContext is the strategy that will dictate what labels
- will be set in the SecurityContext.
- nullable: true
- properties:
- seLinuxOptions:
- description: seLinuxOptions required to run as; required for MustRunAs
- properties:
- level:
- description: Level is SELinux level label that applies to the
- container.
- type: string
- role:
- description: Role is a SELinux role label that applies to the
- container.
- type: string
- type:
- description: Type is a SELinux type label that applies to the
- container.
- type: string
- user:
- description: User is a SELinux user label that applies to the
- container.
- type: string
- type: object
- type:
- description: type is the strategy that will dictate what SELinux context
- is used in the SecurityContext.
- type: string
- type: object
- seccompProfiles:
- description: "seccompProfiles lists the allowed profiles that may be set
- for the pod or\ncontainer's seccomp annotations. An unset (nil) or
- empty value means that no profiles may\nbe specifid by the pod or container.\tThe
- wildcard '*' may be used to allow all profiles. When\nused to generate
- a value for a pod the first non-wildcard profile will be used as\nthe
- default."
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- supplementalGroups:
- description: supplementalGroups is the strategy that will dictate what
- supplemental groups are used by the SecurityContext.
- nullable: true
- properties:
- ranges:
- description: |-
- ranges are the allowed ranges of supplemental groups. If you would like to force a single
- supplemental group then supply a single range with the same start and end.
- items:
- description: IDRange provides a min/max of an allowed range of IDs.
- properties:
- max:
- description: max is the end of the range, inclusive.
- format: int64
- type: integer
- min:
- description: min is the start of the range, inclusive.
- format: int64
- type: integer
- type: object
- type: array
- x-kubernetes-list-type: atomic
- type:
- description: type is the strategy that will dictate what supplemental
- groups is used in the SecurityContext.
- type: string
- type: object
- userNamespaceLevel:
- default: AllowHostLevel
- description: |-
- userNamespaceLevel determines if the policy allows host users in containers.
- Valid values are "AllowHostLevel", "RequirePodLevel", and omitted.
- When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`.
- When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`.
- When omitted, the default value is "AllowHostLevel".
- enum:
- - AllowHostLevel
- - RequirePodLevel
- type: string
- users:
- description: The users who have permissions to use this security context
- constraints
- items:
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- volumes:
- description: |-
- volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
- of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
- To allow no volumes, set to ["none"].
- items:
- description: FS Type gives strong typing to different file systems that
- are used by volumes.
- type: string
- nullable: true
- type: array
- x-kubernetes-list-type: atomic
- required:
- - allowHostDirVolumePlugin
- - allowHostIPC
- - allowHostNetwork
- - allowHostPID
- - allowHostPorts
- - allowPrivilegedContainer
- - allowedCapabilities
- - defaultAddCapabilities
- - priority
- - readOnlyRootFilesystem
- - requiredDropCapabilities
- - volumes
- type: object
- served: true
- storage: true