upstream/kubernetes
1
0
Fork 0
mirror of https://github.com/kubernetes/kubernetes.git synced 2026-03-13 22:28:22 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
kubernetes/pkg/api
History
Kubernetes Submit Queue 72c6251508 Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 
Automatic merge from submit-queue (batch tested with PRs 49651, 49707, 49662, 47019, 49747)

Add support for `no_new_privs` via AllowPrivilegeEscalation

**What this PR does / why we need it**:
Implements kubernetes/community#639
Fixes #38417

Adds `AllowPrivilegeEscalation` and `DefaultAllowPrivilegeEscalation` to `PodSecurityPolicy`.
Adds `AllowPrivilegeEscalation` to container `SecurityContext`.

Adds the proposed behavior to `kuberuntime`, `dockershim`, and `rkt`. Adds a bunch of unit tests to ensure the desired default behavior and that when `DefaultAllowPrivilegeEscalation` is explicitly set.

Tests pass locally with docker and rkt runtimes. There are also a few integration tests with a `setuid` binary for sanity.

**Release note**:

```release-note
Adds AllowPrivilegeEscalation to control whether a process can gain more privileges than it's parent process
```
2017-07-31 16:56:58 -07:00
..
endpoints autogenerated 2017-04-14 10:40:57 -07:00
errors Update bazel 2017-02-02 15:19:04 +01:00
events autogenerated 2017-04-14 10:40:57 -07:00
helper Removes alpha feature gate for affinity annotations. Beta fields should be used. 2017-06-23 10:02:14 -05:00
install run hack/update-all 2017-06-22 11:31:03 -07:00
meta add back just enough empty packages to allow heapster cycles to succeed 2017-01-17 08:07:30 -05:00
persistentvolume Remove myself from a bunch of places 2017-07-20 12:10:46 +02:00
pod Remove myself from a bunch of places 2017-07-20 12:10:46 +02:00
ref deepcopy: add interface deepcopy funcs 2017-07-18 09:28:47 +02:00
resource move pkg/api/v1/ref.go and pkg/api/v1/resource.go to subpackages. move some functions in resource.go to pkg/api/v1/node and pkg/api/v1/pod 2017-04-17 11:38:11 -07:00
service 'Global' -> 'Cluster' for traffic policy 2017-06-01 16:17:38 -07:00
testapi autogenerated files 2017-07-18 17:47:57 -07:00
testing Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
unversioned deepcopy: add interface deepcopy funcs 2017-07-18 09:28:47 +02:00
util add unit test for groupversion 2017-02-03 17:37:42 +08:00
v1 Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 2017-07-31 16:56:58 -07:00
validation Merge pull request #49286 from kargakis/remote-myself-from-some-places 2017-07-25 06:41:08 -07:00
annotation_key_constants.go Removes alpha feature gate for affinity annotations. Beta fields should be used. 2017-06-23 10:02:14 -05:00
BUILD Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
conversion_test.go Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
copy_test.go Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
deep_copy_test.go Remove the temporary fix for pre-1.0 mirror pods 2017-02-02 10:37:19 -08:00
defaulting_test.go Bump ReplicaSet to apps/v1beta2 2017-07-26 09:51:41 -07:00
doc.go Use Go canonical import paths 2016-07-16 13:48:21 -04:00
field_constants.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
json.go Change taint/toleration annotations to api fields. 2017-02-22 09:27:42 -05:00
meta_test.go API 2017-02-28 23:05:40 -08:00
node_example.json Change minion to node 2016-09-28 10:53:30 -07:00
objectreference.go move ref.go to its own subpackage 2017-04-13 10:02:43 -07:00
OWNERS Remove myself from a bunch of places 2017-07-20 12:10:46 +02:00
register.go apimachinery: move unversioned registration to metav1 2017-05-29 11:53:45 +02:00
replication_controller_example.json Initial Quobyte support 2016-08-18 17:13:50 +02:00
resource.go Add EmptyDir Volume and local storage for container overlay Isolation 2017-06-05 12:05:48 -07:00
serialization_proto_test.go Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
serialization_test.go Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
taint.go move ref.go to its own subpackage 2017-04-13 10:02:43 -07:00
taint_test.go move ref.go to its own subpackage 2017-04-13 10:02:43 -07:00
toleration.go move ref.go to its own subpackage 2017-04-13 10:02:43 -07:00
types.go Merge pull request #47019 from jessfraz/allowPrivilegeEscalation 2017-07-31 16:56:58 -07:00
unstructured_test.go Unify fuzzers and roundtrip tests 2017-07-20 12:31:00 +02:00
zz_generated.deepcopy.go allowPrivilegeEscalation: update code generation 2017-07-24 13:55:16 -04:00