allow containers.privileged

knative · Dec 30, 2024 · a8e7a70 · a8e7a70
1 parent 58923e7
commit a8e7a70
Show file tree

Hide file tree

Showing 4 changed files with 7 additions and 12 deletions.
diff --git a/cmd/schema-tweak/overrides.go b/cmd/schema-tweak/overrides.go
@@ -135,12 +135,16 @@ func revSpecOverrides(prefixPath string) []entry {
 		allowedFields: sets.New(
 			"allowPrivilegeEscalation",
 			"capabilities",
+			"privileged",
 			"readOnlyRootFilesystem",
 			"runAsGroup",
 			"runAsNonRoot",
 			"runAsUser",
 			"seccompProfile",
 		),
+	}, {
+		path:        "containers.securityContext.privileged",
+		description: "Run container in privileged mode. This can only be set to explicitly to 'false'",
 	}, {
 		path: "containers.securityContext.capabilities",
 		allowedFields: sets.New(

diff --git a/config/core/300-resources/configuration.yaml b/config/core/300-resources/configuration.yaml
@@ -695,10 +695,7 @@ spec:
                                         x-kubernetes-list-type: atomic
                                   privileged:
                                     description: |-
-                                      Run container in privileged mode.
-                                      Processes in privileged containers are essentially equivalent to root on the host.
-                                      Defaults to false.
-                                      Note that this field cannot be set when spec.os.name is windows.
+                                      Run container in privileged mode. This can only be set to explicitly to 'false'
                                     type: boolean
                                   readOnlyRootFilesystem:
                                     description: |-

diff --git a/config/core/300-resources/revision.yaml b/config/core/300-resources/revision.yaml
@@ -671,10 +671,7 @@ spec:
                                 x-kubernetes-list-type: atomic
                           privileged:
                             description: |-
-                              Run container in privileged mode.
-                              Processes in privileged containers are essentially equivalent to root on the host.
-                              Defaults to false.
-                              Note that this field cannot be set when spec.os.name is windows.
+                              Run container in privileged mode. This can only be set to explicitly to 'false'
                             type: boolean
                           readOnlyRootFilesystem:
                             description: |-

diff --git a/config/core/300-resources/service.yaml b/config/core/300-resources/service.yaml
@@ -713,10 +713,7 @@ spec:
                                         x-kubernetes-list-type: atomic
                                   privileged:
                                     description: |-
-                                      Run container in privileged mode.
-                                      Processes in privileged containers are essentially equivalent to root on the host.
-                                      Defaults to false.
-                                      Note that this field cannot be set when spec.os.name is windows.
+                                      Run container in privileged mode. This can only be set to explicitly to 'false'
                                     type: boolean
                                   readOnlyRootFilesystem:
                                     description: |-