From 5e4014e436ba025709b48c444ff1d8e3b197ba69 Mon Sep 17 00:00:00 2001 From: David McWhorter Date: Thu, 26 Oct 2023 09:30:05 -0400 Subject: [PATCH] fix grpc vuln --- executor/go.mod | 14 +- executor/go.sum | 14 + ...elearning.seldon.io_seldondeployments.yaml | 693 +++++++++--------- ...elearning.seldon.io_seldondeployments.yaml | 231 +++--- ...elearning.seldon.io_seldondeployments.yaml | 693 +++++++++--------- 5 files changed, 798 insertions(+), 847 deletions(-) diff --git a/executor/go.mod b/executor/go.mod index b344341dd0..aff6fd20d3 100644 --- a/executor/go.mod +++ b/executor/go.mod @@ -7,7 +7,7 @@ require ( github.com/confluentinc/confluent-kafka-go v1.8.2 github.com/ghodss/yaml v1.0.0 github.com/go-logr/logr v1.2.3 - github.com/golang/protobuf v1.5.2 + github.com/golang/protobuf v1.5.3 github.com/google/uuid v1.3.0 github.com/gorilla/mux v1.8.0 github.com/grpc-ecosystem/go-grpc-middleware v1.3.0 @@ -24,8 +24,8 @@ require ( go.uber.org/automaxprocs v1.4.0 go.uber.org/zap v1.19.1 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f - google.golang.org/grpc v1.47.0 - google.golang.org/protobuf v1.28.0 + google.golang.org/grpc v1.56.3 + google.golang.org/protobuf v1.30.0 gotest.tools v2.2.0+incompatible k8s.io/api v0.25.0 sigs.k8s.io/controller-runtime v0.12.2 @@ -35,7 +35,7 @@ require ( github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/beorn7/perks v1.0.1 // indirect - github.com/cespare/xxhash/v2 v2.1.2 // indirect + github.com/cespare/xxhash/v2 v2.2.0 // indirect github.com/codahale/hdrhistogram v0.0.0-00010101000000-000000000000 // indirect github.com/davecgh/go-spew v1.1.1 // indirect github.com/emicklei/go-restful v2.15.0+incompatible // indirect @@ -50,7 +50,7 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/google/gnostic v0.5.7-v3refs // indirect - github.com/google/go-cmp v0.5.8 // indirect + github.com/google/go-cmp v0.5.9 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/imdario/mergo v0.3.12 // indirect github.com/josharian/intern v1.0.1-0.20211109044230-42b52b674af5 // indirect @@ -72,14 +72,14 @@ require ( go.uber.org/atomic v1.9.0 // indirect go.uber.org/multierr v1.6.0 // indirect golang.org/x/net v0.17.0 // indirect - golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 // indirect + golang.org/x/oauth2 v0.7.0 // indirect golang.org/x/sys v0.13.0 // indirect golang.org/x/term v0.13.0 // indirect golang.org/x/text v0.13.0 // indirect golang.org/x/time v0.0.0-20220210224613-90d013bbcef8 // indirect gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03 // indirect + google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect diff --git a/executor/go.sum b/executor/go.sum index a226500af8..dc23b77f6f 100644 --- a/executor/go.sum +++ b/executor/go.sum @@ -104,6 +104,8 @@ github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghf github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/cespare/xxhash/v2 v2.1.2 h1:YRXhKfTDauu4ajMg1TPgFO5jnlC2HCbmLXMcTG5cbYE= github.com/cespare/xxhash/v2 v2.1.2/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= +github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= +github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs= github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWRnGsAI= github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI= github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU= @@ -260,6 +262,8 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS github.com/golang/protobuf v1.5.1/go.mod h1:DopwsBzvsk0Fs44TXzsVbJyPhcCPeIwnvohx4u74HPM= github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw= github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= +github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= +github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/golang/snappy v0.0.0-20180518054509-2e65f85255db/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/btree v0.0.0-20160524151835-7d79101e329e/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= @@ -283,6 +287,8 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= +github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v0.0.0-20170612174753-24818f796faf/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= @@ -750,6 +756,8 @@ golang.org/x/oauth2 v0.0.0-20211104180415-d3ed0bb246c8/go.mod h1:KelEdhl1UZF7XfJ golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5 h1:OSnWWcOd/CtWQC2cYSBgbTSJv3ciqd8r54ySIW2y3RE= golang.org/x/oauth2 v0.0.0-20220411215720-9780585627b5/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc= +golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g= +golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -1012,6 +1020,8 @@ google.golang.org/genproto v0.0.0-20210831024726-fe130286e0e2/go.mod h1:eFjDcFEc google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc= google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03 h1:W70HjnmXFJm+8RNjOpIDYW2nKsSi/af0VvIZUtYkwuU= google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1 h1:KpwkzHKEF7B9Zxg18WzOa7djJ+Ha5DzthMyZYQfEn2A= +google.golang.org/genproto v0.0.0-20230410155749-daa745c078e1/go.mod h1:nKE/iIaLqn2bQwXBg8f1g2Ylh6r5MN5CmZvuzZCgsCU= google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= google.golang.org/grpc v1.19.1/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -1038,6 +1048,8 @@ google.golang.org/grpc v1.38.0/go.mod h1:NREThFqKR1f3iQ6oBuvc5LadQuXVGo9rkm5ZGrQ google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34= google.golang.org/grpc v1.47.0 h1:9n77onPX5F3qfFCqjy9dhn8PbNQsIKeVU04J9G7umt8= google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk= +google.golang.org/grpc v1.56.3 h1:8I4C0Yq1EjstUzUJzpcRVbuYA2mODtEmpWiQoN/b2nc= +google.golang.org/grpc v1.56.3/go.mod h1:I9bI3vqKfayGqPUAwGdOSu7kt6oIJLixfffKrpXqQ9s= google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8= google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0= google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM= @@ -1053,6 +1065,8 @@ google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQ google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.28.0 h1:w43yiav+6bVFTBQFZX0r7ipe9JQ1QsbMgHwbBziscLw= google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= +google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= diff --git a/operator/config/crd/bases/machinelearning.seldon.io_seldondeployments.yaml b/operator/config/crd/bases/machinelearning.seldon.io_seldondeployments.yaml index 80d7d641f2..d36572354d 100644 --- a/operator/config/crd/bases/machinelearning.seldon.io_seldondeployments.yaml +++ b/operator/config/crd/bases/machinelearning.seldon.io_seldondeployments.yaml @@ -2828,10 +2828,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -2949,10 +2946,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -3085,10 +3079,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -3196,15 +3187,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -3324,10 +3315,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -3749,10 +3737,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -4045,9 +4030,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -4059,9 +4041,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -4343,10 +4323,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -4464,10 +4441,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -4599,10 +4573,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -4828,10 +4799,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -5244,10 +5212,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -5525,6 +5490,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -5858,10 +5837,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -5979,10 +5955,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -6115,10 +6088,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -6226,15 +6196,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -6354,10 +6324,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -6779,10 +6746,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -7035,20 +6999,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -7504,6 +7467,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -7556,11 +7534,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -7570,8 +7575,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -9746,10 +9752,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -9853,10 +9856,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -9976,10 +9976,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -10078,13 +10075,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -10191,10 +10188,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -10572,10 +10566,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -13996,10 +13987,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -14117,10 +14105,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -14253,10 +14238,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -14364,15 +14346,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -14492,10 +14474,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -14917,10 +14896,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -15213,9 +15189,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -15227,9 +15200,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -15511,10 +15482,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -15632,10 +15600,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -15767,10 +15732,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -15996,10 +15958,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -16412,10 +16371,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -16693,6 +16649,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -17026,10 +16996,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -17147,10 +17114,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -17283,10 +17247,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -17394,15 +17355,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -17522,10 +17483,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -17947,10 +17905,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -18203,20 +18158,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -18672,6 +18626,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -18724,11 +18693,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -18738,8 +18734,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -20914,10 +20911,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -21021,10 +21015,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -21144,10 +21135,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -21246,13 +21234,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -21359,10 +21347,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -21740,10 +21725,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -25164,10 +25146,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -25285,10 +25264,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -25421,10 +25397,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -25532,15 +25505,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -25660,10 +25633,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -26085,10 +26055,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -26381,9 +26348,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -26395,9 +26359,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -26679,10 +26641,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -26800,10 +26759,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -26935,10 +26891,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -27164,10 +27117,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -27580,10 +27530,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -27861,6 +27808,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -28194,10 +28155,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -28315,10 +28273,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -28451,10 +28406,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -28562,15 +28514,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -28690,10 +28642,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -29115,10 +29064,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -29371,20 +29317,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -29840,6 +29785,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -29892,11 +29852,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -29906,8 +29893,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -32082,10 +32070,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -32189,10 +32174,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -32312,10 +32294,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -32414,13 +32393,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -32527,10 +32506,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -32908,10 +32884,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value diff --git a/operator/config/crd_v1_small/bases/machinelearning.seldon.io_seldondeployments.yaml b/operator/config/crd_v1_small/bases/machinelearning.seldon.io_seldondeployments.yaml index 999549ac23..45a4e7d338 100644 --- a/operator/config/crd_v1_small/bases/machinelearning.seldon.io_seldondeployments.yaml +++ b/operator/config/crd_v1_small/bases/machinelearning.seldon.io_seldondeployments.yaml @@ -2828,10 +2828,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -2949,10 +2946,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -3085,10 +3079,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -3196,15 +3187,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -3324,10 +3315,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -3749,10 +3737,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -4045,9 +4030,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -4059,9 +4041,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -4343,10 +4323,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -4464,10 +4441,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -4599,10 +4573,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -4828,10 +4799,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -5244,10 +5212,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -5525,6 +5490,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -5858,10 +5837,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -5979,10 +5955,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -6115,10 +6088,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -6226,15 +6196,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -6354,10 +6324,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -6779,10 +6746,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -7035,20 +6999,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -7504,6 +7467,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -7556,11 +7534,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -7570,8 +7575,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -9746,10 +9752,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -9853,10 +9856,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -9976,10 +9976,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -10078,13 +10075,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -10191,10 +10188,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -10572,10 +10566,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value diff --git a/operator/testing/machinelearning.seldon.io_seldondeployments.yaml b/operator/testing/machinelearning.seldon.io_seldondeployments.yaml index 700fdf7b81..5f65f41106 100644 --- a/operator/testing/machinelearning.seldon.io_seldondeployments.yaml +++ b/operator/testing/machinelearning.seldon.io_seldondeployments.yaml @@ -2833,10 +2833,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -2954,10 +2951,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -3090,10 +3084,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -3201,15 +3192,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -3329,10 +3320,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -3754,10 +3742,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -4050,9 +4035,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -4064,9 +4046,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -4348,10 +4328,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -4469,10 +4446,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -4604,10 +4578,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -4833,10 +4804,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -5249,10 +5217,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -5530,6 +5495,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -5863,10 +5842,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -5984,10 +5960,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -6120,10 +6093,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -6231,15 +6201,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -6359,10 +6329,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -6784,10 +6751,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -7040,20 +7004,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -7509,6 +7472,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -7561,11 +7539,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -7575,8 +7580,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -9751,10 +9757,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -9858,10 +9861,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -9981,10 +9981,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -10083,13 +10080,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -10196,10 +10193,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -10577,10 +10571,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -14773,10 +14764,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -14894,10 +14882,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -15030,10 +15015,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -15141,15 +15123,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -15269,10 +15251,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -15694,10 +15673,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -15990,9 +15966,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -16004,9 +15977,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -16288,10 +16259,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -16409,10 +16377,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -16544,10 +16509,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -16773,10 +16735,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -17189,10 +17148,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -17470,6 +17426,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -17803,10 +17773,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -17924,10 +17891,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -18060,10 +18024,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -18171,15 +18132,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -18299,10 +18260,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -18724,10 +18682,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -18980,20 +18935,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -19449,6 +19403,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -19501,11 +19470,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -19515,8 +19511,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -21691,10 +21688,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -21798,10 +21792,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -21921,10 +21912,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -22023,13 +22011,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -22136,10 +22124,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -22517,10 +22502,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -26713,10 +26695,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -26834,10 +26813,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -26970,10 +26946,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -27081,15 +27054,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -27209,10 +27182,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -27634,10 +27604,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -27930,9 +27897,6 @@ spec: and it cannot be modified by updating the pod spec. In order to add an ephemeral container to an existing pod, use the pod's ephemeralcontainers subresource. - This field is beta-level and available on clusters - that haven't disabled the EphemeralContainers feature - gate. items: description: "An EphemeralContainer is a temporary container that you may add to an existing Pod @@ -27944,9 +27908,7 @@ spec: causes the Pod to exceed its resource allocation. \n To add an ephemeral container, use the ephemeralcontainers subresource of an existing Pod. Ephemeral containers - may not be removed or restarted. \n This is a - beta feature available on clusters that haven't - disabled the EphemeralContainers feature gate." + may not be removed or restarted." properties: args: description: 'Arguments to the entrypoint. The @@ -28228,10 +28190,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -28349,10 +28308,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -28484,10 +28440,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -28713,10 +28666,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -29129,10 +29079,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -29410,6 +29357,20 @@ spec: description: 'Use the host''s pid namespace. Optional: Default to false.' type: boolean + hostUsers: + description: 'Use the host''s user namespace. Optional: + Default to true. If set to true or not present, + the pod will be run in the host user namespace, + useful for when the pod needs a feature only available + to the host user namespace, such as loading a kernel + module with CAP_SYS_MODULE. When set to false, a + new userns is created for the pod. Setting false + is useful for mitigating container breakout vulnerabilities + even allowing users to run their containers as root + without actually having root privileges on the host. + This field is alpha-level and is only honored by + servers that enable the UserNamespacesSupport feature.' + type: boolean hostname: description: Specifies the hostname of the Pod If not specified, the pod's hostname will be set to @@ -29743,10 +29704,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -29864,10 +29822,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood - as the same header. + name type: string value: description: The header field @@ -30000,10 +29955,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -30111,15 +30063,15 @@ spec: type: string ports: description: List of ports to expose from the - container. Exposing a port here gives the - system additional information about the network - connections a container uses, but is primarily - informational. Not specifying a port here - DOES NOT prevent that port from being exposed. + container. Not specifying a port here DOES + NOT prevent that port from being exposed. Any port which is listening on the default "0.0.0.0" address inside a container will - be accessible from the network. Cannot be - updated. + be accessible from the network. Modifying + this array with strategic merge patch may + corrupt the data. For more information See + https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -30239,10 +30191,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -30664,10 +30613,7 @@ spec: properties: name: description: The header field - name. This will be canonicalized - upon output, so case-variant - names will be understood as - the same header. + name type: string value: description: The header field @@ -30920,20 +30866,19 @@ spec: the following fields must be unset: -securityContext.windowsOptions \n If the OS field is set to windows, following fields must be unset: - spec.hostPID - spec.hostIPC - - spec.securityContext.seLinuxOptions - spec.securityContext.seccompProfile - - spec.securityContext.fsGroup - spec.securityContext.fsGroupChangePolicy - - spec.securityContext.sysctls - spec.shareProcessNamespace - - spec.securityContext.runAsUser - spec.securityContext.runAsGroup - - spec.securityContext.supplementalGroups - spec.containers[*].securityContext.seLinuxOptions + - spec.hostUsers - spec.securityContext.seLinuxOptions + - spec.securityContext.seccompProfile - spec.securityContext.fsGroup + - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls + - spec.shareProcessNamespace - spec.securityContext.runAsUser + - spec.securityContext.runAsGroup - spec.securityContext.supplementalGroups + - spec.containers[*].securityContext.seLinuxOptions - spec.containers[*].securityContext.seccompProfile - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation - spec.containers[*].securityContext.procMount - - spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup - This is a beta field and requires the IdentifyPodOS - feature" + spec.containers[*].securityContext.runAsUser - spec.containers[*].securityContext.runAsGroup" properties: name: description: 'Name is the name of the operating @@ -31389,6 +31334,21 @@ spec: type: object type: object x-kubernetes-map-type: atomic + matchLabelKeys: + description: MatchLabelKeys is a set of pod + label keys to select the pods over which spreading + will be calculated. The keys are used to lookup + values from the incoming pod labels, those + key-value labels are ANDed with labelSelector + to select the group of existing pods over + which spreading will be calculated for the + incoming pod. Keys that don't exist in the + incoming pod labels will be ignored. A null + or empty list means only match against labelSelector. + items: + type: string + type: array + x-kubernetes-list-type: atomic maxSkew: description: 'MaxSkew describes the degree to which pods may be unevenly distributed. When @@ -31441,11 +31401,38 @@ spec: same labelSelector cannot be scheduled, because computed skew will be 3(3 - 0) if new Pod is scheduled to any of the three zones, it - will violate MaxSkew. \n This is an alpha - field and requires enabling MinDomainsInPodTopologySpread - feature gate." + will violate MaxSkew. \n This is a beta field + and requires the MinDomainsInPodTopologySpread + feature gate to be enabled (enabled by default)." format: int32 type: integer + nodeAffinityPolicy: + description: "NodeAffinityPolicy indicates how + we will treat Pod's nodeAffinity/nodeSelector + when calculating pod topology spread skew. + Options are: - Honor: only nodes matching + nodeAffinity/nodeSelector are included in + the calculations. - Ignore: nodeAffinity/nodeSelector + are ignored. All nodes are included in the + calculations. \n If this value is nil, the + behavior is equivalent to the Honor policy. + This is a alpha-level feature enabled by the + NodeInclusionPolicyInPodTopologySpread feature + flag." + type: string + nodeTaintsPolicy: + description: "NodeTaintsPolicy indicates how + we will treat node taints when calculating + pod topology spread skew. Options are: - Honor: + nodes without taints, along with tainted nodes + for which the incoming pod has a toleration, + are included. - Ignore: node taints are ignored. + All nodes are included. \n If this value is + nil, the behavior is equivalent to the Ignore + policy. This is a alpha-level feature enabled + by the NodeInclusionPolicyInPodTopologySpread + feature flag." + type: string topologyKey: description: TopologyKey is the key of node labels. Nodes that have a label with this @@ -31455,8 +31442,9 @@ spec: balanced number of pods into each bucket. We define a domain as a particular instance of a topology. Also, we define an eligible - domain as a domain whose nodes match the node - selector. e.g. If TopologyKey is "kubernetes.io/hostname", + domain as a domain whose nodes meet the requirements + of nodeAffinityPolicy and nodeTaintsPolicy. + e.g. If TopologyKey is "kubernetes.io/hostname", each Node is a domain of that topology. And, if TopologyKey is "topology.kubernetes.io/zone", each zone is a domain of that topology. It's @@ -33631,10 +33619,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -33738,10 +33723,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. - This will be canonicalized upon - output, so case-variant names will - be understood as the same header. + description: The header field name type: string value: description: The header field value @@ -33861,10 +33843,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -33963,13 +33942,13 @@ spec: type: string ports: description: List of ports to expose from the container. - Exposing a port here gives the system additional information - about the network connections a container uses, but - is primarily informational. Not specifying a port - here DOES NOT prevent that port from being exposed. - Any port which is listening on the default "0.0.0.0" - address inside a container will be accessible from - the network. Cannot be updated. + Not specifying a port here DOES NOT prevent that port + from being exposed. Any port which is listening on + the default "0.0.0.0" address inside a container will + be accessible from the network. Modifying this array + with strategic merge patch may corrupt the data. For + more information See https://github.com/kubernetes/kubernetes/issues/108255. + Cannot be updated. items: description: ContainerPort represents a network port in a single container. @@ -34076,10 +34055,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value @@ -34457,10 +34433,7 @@ spec: header to be used in HTTP probes properties: name: - description: The header field name. This - will be canonicalized upon output, so - case-variant names will be understood - as the same header. + description: The header field name type: string value: description: The header field value