Merge pull request #60373 from sttts/sttts-1.10-cfssl

Automatic merge from submit-queue (batch tested with PRs 60373, 61098, 61352, 61359, 61362). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Bump cfssl to be compatible with Go 1.10 Kubernetes-commit: ef3539e69e4c897f48ecd6b2dd73417ce0416b08
2026-04-12 00:00:26 +08:00 · 2018-03-21 22:39:09 -07:00
parent ad3e14a611 4b88feff70
commit e4d1759a29
11 changed files with 435 additions and 433 deletions
@@ -34,14 +34,14 @@ option go_package = "v1beta1";

 // AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
 message AllowedFlexVolume {
-  // Driver is the name of the Flexvolume driver.
+  // driver is the name of the Flexvolume driver.
  optional string driver = 1;
 }

-// defines the host volume conditions that will be enabled by a policy
+// AllowedHostPath defines the host volume conditions that will be enabled by a policy
 // for pods to use. It requires the path prefix to be defined.
 message AllowedHostPath {
-  // is the path prefix that the host volume must match.
+  // pathPrefix is the path prefix that the host volume must match.
  // It does not support `*`.
  // Trailing slashes are trimmed when validating the path prefix with a host path.
  // 
@@ -410,12 +410,12 @@ message DeploymentStrategy {

 // FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
 message FSGroupStrategyOptions {
-  // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+  // rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
  // +optional
  optional string rule = 1;

-  // Ranges are the allowed ranges of fs groups.  If you would like to force a single
-  // fs group then supply a single range with the same start and end.
+  // ranges are the allowed ranges of fs groups.  If you would like to force a single
+  // fs group then supply a single range with the same start and end. Required for MustRunAs.
  // +optional
  repeated IDRange ranges = 2;
 }
@@ -448,7 +448,7 @@ message HTTPIngressRuleValue {
  repeated HTTPIngressPath paths = 1;
 }

-// Host Port Range defines a range of host ports that will be enabled by a policy
+// HostPortRange defines a range of host ports that will be enabled by a policy
 // for pods to use.  It requires both the start and end to be defined.
 message HostPortRange {
  // min is the start of the range, inclusive.
@@ -458,12 +458,12 @@ message HostPortRange {
  optional int32 max = 2;
 }

-// ID Range provides a min/max of an allowed range of IDs.
+// IDRange provides a min/max of an allowed range of IDs.
 message IDRange {
-  // Min is the start of the range, inclusive.
+  // min is the start of the range, inclusive.
  optional int64 min = 1;

-  // Max is the end of the range, inclusive.
+  // max is the end of the range, inclusive.
  optional int64 max = 2;
 }

@@ -755,7 +755,7 @@ message NetworkPolicySpec {
  repeated string policyTypes = 4;
 }

-// Pod Security Policy governs the ability to make requests that affect the Security Context
+// PodSecurityPolicy governs the ability to make requests that affect the Security Context
 // that will be applied to a pod and container.
 message PodSecurityPolicy {
  // Standard object's metadata.
@@ -768,43 +768,43 @@ message PodSecurityPolicy {
  optional PodSecurityPolicySpec spec = 2;
 }

-// Pod Security Policy List is a list of PodSecurityPolicy objects.
+// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
 message PodSecurityPolicyList {
  // Standard list metadata.
  // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
  // +optional
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

-  // Items is a list of schema objects.
+  // items is a list of schema objects.
  repeated PodSecurityPolicy items = 2;
 }

-// Pod Security Policy Spec defines the policy enforced.
+// PodSecurityPolicySpec defines the policy enforced.
 message PodSecurityPolicySpec {
  // privileged determines if a pod can request to be run as privileged.
  // +optional
  optional bool privileged = 1;

-  // DefaultAddCapabilities is the default set of capabilities that will be added to the container
+  // defaultAddCapabilities is the default set of capabilities that will be added to the container
  // unless the pod spec specifically drops the capability.  You may not list a capability in both
-  // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
-  // allowed, and need not be included in the AllowedCapabilities list.
+  // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly
+  // allowed, and need not be included in the allowedCapabilities list.
  // +optional
  repeated string defaultAddCapabilities = 2;

-  // RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
+  // requiredDropCapabilities are the capabilities that will be dropped from the container.  These
  // are required to be dropped and cannot be added.
  // +optional
  repeated string requiredDropCapabilities = 3;

-  // AllowedCapabilities is a list of capabilities that can be requested to add to the container.
+  // allowedCapabilities is a list of capabilities that can be requested to add to the container.
  // Capabilities in this field may be added at the pod author's discretion.
-  // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+  // You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
  // +optional
  repeated string allowedCapabilities = 4;

-  // volumes is a white list of allowed volume plugins.  Empty indicates that all plugins
-  // may be used.
+  // volumes is a white list of allowed volume plugins. Empty indicates that
+  // no volumes may be used. To allow all volumes you may use '*'.
  // +optional
  repeated string volumes = 5;

@@ -830,13 +830,13 @@ message PodSecurityPolicySpec {
  // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
  optional RunAsUserStrategyOptions runAsUser = 11;

-  // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+  // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
  optional SupplementalGroupsStrategyOptions supplementalGroups = 12;

-  // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+  // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
  optional FSGroupStrategyOptions fsGroup = 13;

-  // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
+  // readOnlyRootFilesystem when set to true will force containers to run with a read only root file
  // system.  If the container specifically requests to run with a non-read only root file system
  // the PSP should deny the pod.
  // If set to false the container may run with a read only root file system if it wishes but it
@@ -844,23 +844,24 @@ message PodSecurityPolicySpec {
  // +optional
  optional bool readOnlyRootFilesystem = 14;

-  // DefaultAllowPrivilegeEscalation controls the default setting for whether a
+  // defaultAllowPrivilegeEscalation controls the default setting for whether a
  // process can gain more privileges than its parent process.
  // +optional
  optional bool defaultAllowPrivilegeEscalation = 15;

-  // AllowPrivilegeEscalation determines if a pod can request to allow
+  // allowPrivilegeEscalation determines if a pod can request to allow
  // privilege escalation. If unspecified, defaults to true.
  // +optional
  optional bool allowPrivilegeEscalation = 16;

-  // is a white list of allowed host paths. Empty indicates that all host paths may be used.
+  // allowedHostPaths is a white list of allowed host paths. Empty indicates
+  // that all host paths may be used.
  // +optional
  repeated AllowedHostPath allowedHostPaths = 17;

-  // AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
+  // allowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
  // Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
-  // is allowed in the "Volumes" field.
+  // is allowed in the "volumes" field.
  // +optional
  repeated AllowedFlexVolume allowedFlexVolumes = 18;
 }
@@ -1041,19 +1042,20 @@ message RollingUpdateDeployment {
  optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxSurge = 2;
 }

-// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy.
+// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
 message RunAsUserStrategyOptions {
-  // Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
+  // rule is the strategy that will dictate the allowable RunAsUser values that may be set.
  optional string rule = 1;

-  // Ranges are the allowed ranges of uids that may be used.
+  // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
+  // then supply a single range with the same start and end. Required for MustRunAs.
  // +optional
  repeated IDRange ranges = 2;
 }

-// SELinux  Strategy Options defines the strategy type and any options used to create the strategy.
+// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
 message SELinuxStrategyOptions {
-  // type is the strategy that will dictate the allowable labels that may be set.
+  // rule is the strategy that will dictate the allowable labels that may be set.
  optional string rule = 1;

  // seLinuxOptions required to run as; required for MustRunAs
@@ -1105,12 +1107,12 @@ message ScaleStatus {

 // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
 message SupplementalGroupsStrategyOptions {
-  // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+  // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
  // +optional
  optional string rule = 1;

-  // Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
-  // supplemental group then supply a single range with the same start and end.
+  // ranges are the allowed ranges of supplemental groups.  If you would like to force a single
+  // supplemental group then supply a single range with the same start and end. Required for MustRunAs.
  // +optional
  repeated IDRange ranges = 2;
 }