min:
diff --git a/api/protobuf-spec/github_com_openshift_api_security_v1.proto b/api/protobuf-spec/github_com_openshift_api_security_v1.proto
index ee508a8851c5..2823b9fb3809 100644
--- a/api/protobuf-spec/github_com_openshift_api_security_v1.proto
+++ b/api/protobuf-spec/github_com_openshift_api_security_v1.proto
@@ -281,6 +281,27 @@ message SecurityContextConstraints {
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
repeated string seccompProfiles = 20;
+
+ // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+ // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+ //
+ // Examples:
+ // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string allowedUnsafeSysctls = 24;
+
+ // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+ //
+ // Examples:
+ // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string forbiddenSysctls = 25;
}
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
diff --git a/api/swagger-spec/api-v1.json b/api/swagger-spec/api-v1.json
index fdcbd0293a1f..01589222218e 100644
--- a/api/swagger-spec/api-v1.json
+++ b/api/swagger-spec/api-v1.json
@@ -23552,6 +23552,20 @@
"type": "string"
},
"description": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default."
+ },
+ "allowedUnsafeSysctls": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."
+ },
+ "forbiddenSysctls": {
+ "type": "array",
+ "items": {
+ "type": "string"
+ },
+ "description": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
}
}
},
diff --git a/api/swagger-spec/openshift-openapi-spec.json b/api/swagger-spec/openshift-openapi-spec.json
index 8480629ca28f..bed263664070 100644
--- a/api/swagger-spec/openshift-openapi-spec.json
+++ b/api/swagger-spec/openshift-openapi-spec.json
@@ -118417,6 +118417,13 @@
"$ref": "#/definitions/com.github.openshift.api.security.v1.AllowedFlexVolume"
}
},
+ "allowedUnsafeSysctls": {
+ "description": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
"apiVersion": {
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources",
"type": "string"
@@ -118432,6 +118439,13 @@
"description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
"type": "boolean"
},
+ "forbiddenSysctls": {
+ "description": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
+ "type": "array",
+ "items": {
+ "type": "string"
+ }
+ },
"fsGroup": {
"description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"$ref": "#/definitions/com.github.openshift.api.security.v1.FSGroupStrategyOptions"
diff --git a/glide.lock b/glide.lock
index e50f656098f5..58fcb34ac84a 100644
--- a/glide.lock
+++ b/glide.lock
@@ -1,5 +1,5 @@
hash: 424aaf9eb0319384574a012df2886bbf6cd77b479e7065462bc48a61e99a9b3f
-updated: 2018-07-19T07:54:15.181641803-04:00
+updated: 2018-07-20T11:02:32.741008-04:00
imports:
- name: bitbucket.org/ww/goautoneg
version: 75cd24fc2f2c2a2088577d12123ddee5f54e0675
@@ -819,8 +819,9 @@ imports:
- go-selinux
- go-selinux/label
- name: github.com/openshift/api
- version: da58561fa85ae09a2fdc0540001acf835ad239b0
+ version: deb367a7f6d3fde2076846c2cf3a3f451c695149
subpackages:
+ - apps
- apps/v1
- authorization
- authorization/v1
diff --git a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
index b0b4e630f487..478211984178 100644
--- a/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
+++ b/pkg/cmd/server/bootstrappolicy/securitycontextconstraints.go
@@ -94,7 +94,8 @@ func GetBootstrapSecurityContextConstraints(sccNameToAdditionalGroups map[string
SupplementalGroups: securityapi.SupplementalGroupsStrategyOptions{
Type: securityapi.SupplementalGroupsStrategyRunAsAny,
},
- SeccompProfiles: []string{"*"},
+ SeccompProfiles: []string{"*"},
+ AllowedUnsafeSysctls: []string{"*"},
},
// SecurityContextConstraintNonRoot does not allow host access, allocates SELinux labels
// and allows the user to request a specific UID or provide the default in the dockerfile.
diff --git a/pkg/oc/lib/describe/describer.go b/pkg/oc/lib/describe/describer.go
index 500458b6a255..3abcc19f2ad5 100644
--- a/pkg/oc/lib/describe/describer.go
+++ b/pkg/oc/lib/describe/describer.go
@@ -1896,6 +1896,8 @@ func describeSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
fmt.Fprintf(out, " Allowed Seccomp Profiles:\t%s\n", stringOrNone(strings.Join(scc.SeccompProfiles, ",")))
fmt.Fprintf(out, " Allowed Volume Types:\t%s\n", fsTypeToString(scc.Volumes))
fmt.Fprintf(out, " Allowed Flexvolumes:\t%s\n", flexVolumesToString(scc.AllowedFlexVolumes))
+ fmt.Fprintf(out, " Allowed Unsafe Sysctls:\t%s\n", sysctlsToString(scc.AllowedUnsafeSysctls))
+ fmt.Fprintf(out, " Forbidden Sysctls:\t%s\n", sysctlsToString(scc.ForbiddenSysctls))
fmt.Fprintf(out, " Allow Host Network:\t%t\n", scc.AllowHostNetwork)
fmt.Fprintf(out, " Allow Host Ports:\t%t\n", scc.AllowHostPorts)
fmt.Fprintf(out, " Allow Host PID:\t%t\n", scc.AllowHostPID)
@@ -1971,6 +1973,10 @@ func flexVolumesToString(flexVolumes []securityapi.AllowedFlexVolume) string {
return stringOrDefaultValue(strings.Join(volumes, ","), "
")
}
+func sysctlsToString(sysctls []string) string {
+ return stringOrNone(strings.Join(sysctls, ","))
+}
+
func idRangeToString(ranges []securityapi.IDRange) string {
formattedString := ""
if ranges != nil {
diff --git a/pkg/openapi/zz_generated.openapi.go b/pkg/openapi/zz_generated.openapi.go
index 1dcef1c2c90d..12f87f0832df 100644
--- a/pkg/openapi/zz_generated.openapi.go
+++ b/pkg/openapi/zz_generated.openapi.go
@@ -11652,6 +11652,34 @@ func schema_openshift_api_security_v1_SecurityContextConstraints(ref common.Refe
},
},
},
+ "allowedUnsafeSysctls": {
+ SchemaProps: spec.SchemaProps{
+ Description: "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ },
+ },
+ "forbiddenSysctls": {
+ SchemaProps: spec.SchemaProps{
+ Description: "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
+ Type: []string{"array"},
+ Items: &spec.SchemaOrArray{
+ Schema: &spec.Schema{
+ SchemaProps: spec.SchemaProps{
+ Type: []string{"string"},
+ Format: "",
+ },
+ },
+ },
+ },
+ },
},
Required: []string{"priority", "allowPrivilegedContainer", "defaultAddCapabilities", "requiredDropCapabilities", "allowedCapabilities", "allowHostDirVolumePlugin", "volumes", "allowHostNetwork", "allowHostPorts", "allowHostPID", "allowHostIPC", "readOnlyRootFilesystem"},
},
diff --git a/pkg/security/apis/security/types.go b/pkg/security/apis/security/types.go
index c7ce11691b9e..3d4d366d7083 100644
--- a/pkg/security/apis/security/types.go
+++ b/pkg/security/apis/security/types.go
@@ -92,6 +92,26 @@ type SecurityContextConstraints struct {
Users []string
// The groups that have permission to use this security context constraints
Groups []string
+
+ // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+ // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+ //
+ // Examples:
+ // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+ // +optional
+ AllowedUnsafeSysctls []string
+ // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+ //
+ // Examples:
+ // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+ // +optional
+ ForbiddenSysctls []string
}
// FS Type gives strong typing to different file systems that are used by volumes.
diff --git a/pkg/security/apis/security/v1/zz_generated.conversion.go b/pkg/security/apis/security/v1/zz_generated.conversion.go
index c1691643c7dd..3f40feb37aa3 100644
--- a/pkg/security/apis/security/v1/zz_generated.conversion.go
+++ b/pkg/security/apis/security/v1/zz_generated.conversion.go
@@ -523,6 +523,8 @@ func autoConvert_v1_SecurityContextConstraints_To_security_SecurityContextConstr
out.Users = *(*[]string)(unsafe.Pointer(&in.Users))
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
out.SeccompProfiles = *(*[]string)(unsafe.Pointer(&in.SeccompProfiles))
+ out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
+ out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}
@@ -557,6 +559,8 @@ func autoConvert_security_SecurityContextConstraints_To_v1_SecurityContextConstr
out.SeccompProfiles = *(*[]string)(unsafe.Pointer(&in.SeccompProfiles))
out.Users = *(*[]string)(unsafe.Pointer(&in.Users))
out.Groups = *(*[]string)(unsafe.Pointer(&in.Groups))
+ out.AllowedUnsafeSysctls = *(*[]string)(unsafe.Pointer(&in.AllowedUnsafeSysctls))
+ out.ForbiddenSysctls = *(*[]string)(unsafe.Pointer(&in.ForbiddenSysctls))
return nil
}
diff --git a/pkg/security/apis/security/validation/validation.go b/pkg/security/apis/security/validation/validation.go
index 3fb258b391d8..b183cc956e34 100644
--- a/pkg/security/apis/security/validation/validation.go
+++ b/pkg/security/apis/security/validation/validation.go
@@ -2,6 +2,7 @@ package validation
import (
"fmt"
+ "regexp"
"strings"
"k8s.io/apimachinery/pkg/api/validation"
@@ -112,6 +113,98 @@ func ValidateSecurityContextConstraints(scc *securityapi.SecurityContextConstrai
}
}
+ allowedUnsafeSysctlsPath := field.NewPath("allowedUnsafeSysctls")
+ forbiddenSysctlsPath := field.NewPath("forbiddenSysctls")
+ allErrs = append(allErrs, validateSCCSysctls(allowedUnsafeSysctlsPath, scc.AllowedUnsafeSysctls)...)
+ allErrs = append(allErrs, validateSCCSysctls(forbiddenSysctlsPath, scc.ForbiddenSysctls)...)
+ allErrs = append(allErrs, validatePodSecurityPolicySysctlListsDoNotOverlap(allowedUnsafeSysctlsPath, forbiddenSysctlsPath, scc.AllowedUnsafeSysctls, scc.ForbiddenSysctls)...)
+
+ return allErrs
+}
+
+const sysctlPatternSegmentFmt string = "([a-z0-9][-_a-z0-9]*)?[a-z0-9*]"
+const sysctlPatternFmt string = "(" + kapivalidation.SysctlSegmentFmt + "\\.)*" + sysctlPatternSegmentFmt
+
+var sysctlPatternRegexp = regexp.MustCompile("^" + sysctlPatternFmt + "$")
+
+func IsValidSysctlPattern(name string) bool {
+ if len(name) > kapivalidation.SysctlMaxLength {
+ return false
+ }
+ return sysctlPatternRegexp.MatchString(name)
+}
+
+// validatePodSecurityPolicySysctlListsDoNotOverlap validates the values in forbiddenSysctls and allowedSysctls fields do not overlap.
+func validatePodSecurityPolicySysctlListsDoNotOverlap(allowedSysctlsFldPath, forbiddenSysctlsFldPath *field.Path, allowedUnsafeSysctls, forbiddenSysctls []string) field.ErrorList {
+ allErrs := field.ErrorList{}
+ for i, allowedSysctl := range allowedUnsafeSysctls {
+ isAllowedSysctlPattern := false
+ allowedSysctlPrefix := ""
+ if strings.HasSuffix(allowedSysctl, "*") {
+ isAllowedSysctlPattern = true
+ allowedSysctlPrefix = strings.TrimSuffix(allowedSysctl, "*")
+ }
+ for j, forbiddenSysctl := range forbiddenSysctls {
+ isForbiddenSysctlPattern := false
+ forbiddenSysctlPrefix := ""
+ if strings.HasSuffix(forbiddenSysctl, "*") {
+ isForbiddenSysctlPattern = true
+ forbiddenSysctlPrefix = strings.TrimSuffix(forbiddenSysctl, "*")
+ }
+ switch {
+ case isAllowedSysctlPattern && isForbiddenSysctlPattern:
+ if strings.HasPrefix(allowedSysctlPrefix, forbiddenSysctlPrefix) {
+ allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
+ } else if strings.HasPrefix(forbiddenSysctlPrefix, allowedSysctlPrefix) {
+ allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
+ }
+ case isAllowedSysctlPattern:
+ if strings.HasPrefix(forbiddenSysctl, allowedSysctlPrefix) {
+ allErrs = append(allErrs, field.Invalid(forbiddenSysctlsFldPath.Index(j), forbiddenSysctls[j], fmt.Sprintf("sysctl overlaps with %v", allowedSysctl)))
+ }
+ case isForbiddenSysctlPattern:
+ if strings.HasPrefix(allowedSysctl, forbiddenSysctlPrefix) {
+ allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
+ }
+ default:
+ if allowedSysctl == forbiddenSysctl {
+ allErrs = append(allErrs, field.Invalid(allowedSysctlsFldPath.Index(i), allowedUnsafeSysctls[i], fmt.Sprintf("sysctl overlaps with %v", forbiddenSysctl)))
+ }
+ }
+ }
+ }
+ return allErrs
+}
+
+// validatePodSecurityPolicySysctls validates the sysctls fields of PodSecurityPolicy.
+func validateSCCSysctls(fldPath *field.Path, sysctls []string) field.ErrorList {
+ allErrs := field.ErrorList{}
+
+ if len(sysctls) == 0 {
+ return allErrs
+ }
+
+ coversAll := false
+ for i, s := range sysctls {
+ if len(s) == 0 {
+ allErrs = append(allErrs, field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("empty sysctl not allowed")))
+ } else if !IsValidSysctlPattern(string(s)) {
+ allErrs = append(
+ allErrs,
+ field.Invalid(fldPath.Index(i), sysctls[i], fmt.Sprintf("must have at most %d characters and match regex %s",
+ kapivalidation.SysctlMaxLength,
+ sysctlPatternFmt,
+ )),
+ )
+ } else if s[0] == '*' {
+ coversAll = true
+ }
+ }
+
+ if coversAll && len(sysctls) > 1 {
+ allErrs = append(allErrs, field.Forbidden(fldPath.Child("items"), fmt.Sprintf("if '*' is present, must not specify other sysctls")))
+ }
+
return allErrs
}
diff --git a/pkg/security/apis/security/validation/validation_test.go b/pkg/security/apis/security/validation/validation_test.go
index e258218cd161..5b94559cb97f 100644
--- a/pkg/security/apis/security/validation/validation_test.go
+++ b/pkg/security/apis/security/validation/validation_test.go
@@ -1,6 +1,7 @@
package validation
import (
+ "fmt"
"testing"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -108,6 +109,20 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
invalidDefaultAllowPrivilegeEscalation.DefaultAllowPrivilegeEscalation = &yes
invalidDefaultAllowPrivilegeEscalation.AllowPrivilegeEscalation = &no
+ invalidAllowedUnsafeSysctlPattern := validSCC()
+ invalidAllowedUnsafeSysctlPattern.AllowedUnsafeSysctls = []string{"a.*.b"}
+
+ invalidForbiddenSysctlPattern := validSCC()
+ invalidForbiddenSysctlPattern.ForbiddenSysctls = []string{"a.*.b"}
+
+ invalidOverlappingSysctls := validSCC()
+ invalidOverlappingSysctls.ForbiddenSysctls = []string{"kernel.*", "net.ipv4.ip_local_port_range"}
+ invalidOverlappingSysctls.AllowedUnsafeSysctls = []string{"kernel.shmmax", "net.ipv4.ip_local_port_range"}
+
+ invalidDuplicatedSysctls := validSCC()
+ invalidDuplicatedSysctls.ForbiddenSysctls = []string{"net.ipv4.ip_local_port_range"}
+ invalidDuplicatedSysctls.AllowedUnsafeSysctls = []string{"net.ipv4.ip_local_port_range"}
+
errorCases := map[string]struct {
scc *securityapi.SecurityContextConstraints
errorType field.ErrorType
@@ -213,6 +228,26 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
errorType: field.ErrorTypeInvalid,
errorDetail: "Cannot set DefaultAllowPrivilegeEscalation to true without also setting AllowPrivilegeEscalation to true",
},
+ "invalid allowed unsafe sysctl pattern": {
+ scc: invalidAllowedUnsafeSysctlPattern,
+ errorType: field.ErrorTypeInvalid,
+ errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", sysctlPatternFmt),
+ },
+ "invalid forbidden sysctl pattern": {
+ scc: invalidForbiddenSysctlPattern,
+ errorType: field.ErrorTypeInvalid,
+ errorDetail: fmt.Sprintf("must have at most 253 characters and match regex %s", sysctlPatternFmt),
+ },
+ "invalid overlapping sysctl pattern": {
+ scc: invalidOverlappingSysctls,
+ errorType: field.ErrorTypeInvalid,
+ errorDetail: fmt.Sprintf("sysctl overlaps with %s", invalidOverlappingSysctls.ForbiddenSysctls[0]),
+ },
+ "invalid duplicated sysctls": {
+ scc: invalidDuplicatedSysctls,
+ errorType: field.ErrorTypeInvalid,
+ errorDetail: fmt.Sprintf("sysctl overlaps with %s", invalidDuplicatedSysctls.AllowedUnsafeSysctls[0]),
+ },
}
for k, v := range errorCases {
@@ -259,6 +294,12 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
validDefaultAllowPrivilegeEscalation.DefaultAllowPrivilegeEscalation = &yes
validDefaultAllowPrivilegeEscalation.AllowPrivilegeEscalation = &yes
+ withForbiddenSysctl := validSCC()
+ withForbiddenSysctl.ForbiddenSysctls = []string{"net.*"}
+
+ withAllowedUnsafeSysctl := validSCC()
+ withAllowedUnsafeSysctl.AllowedUnsafeSysctls = []string{"net.ipv4.tcp_max_syn_backlog"}
+
successCases := map[string]struct {
scc *securityapi.SecurityContextConstraints
}{
@@ -286,6 +327,12 @@ func TestValidateSecurityContextConstraints(t *testing.T) {
"valid defaultAllowPrivilegeEscalation as true": {
scc: validDefaultAllowPrivilegeEscalation,
},
+ "with network sysctls forbidden": {
+ scc: withForbiddenSysctl,
+ },
+ "with unsafe net.ipv4.tcp_max_syn_backlog sysctl allowed": {
+ scc: withAllowedUnsafeSysctl,
+ },
}
for k, v := range successCases {
diff --git a/pkg/security/apis/security/zz_generated.deepcopy.go b/pkg/security/apis/security/zz_generated.deepcopy.go
index f3bed48970e0..b6912ef440cf 100644
--- a/pkg/security/apis/security/zz_generated.deepcopy.go
+++ b/pkg/security/apis/security/zz_generated.deepcopy.go
@@ -461,6 +461,16 @@ func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstrain
*out = make([]string, len(*in))
copy(*out, *in)
}
+ if in.AllowedUnsafeSysctls != nil {
+ in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.ForbiddenSysctls != nil {
+ in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
return
}
diff --git a/pkg/security/securitycontextconstraints/provider.go b/pkg/security/securitycontextconstraints/provider.go
index 06e77969a5eb..50a07996f101 100644
--- a/pkg/security/securitycontextconstraints/provider.go
+++ b/pkg/security/securitycontextconstraints/provider.go
@@ -2,7 +2,6 @@ package securitycontextconstraints
import (
"fmt"
- "strings"
"github.com/openshift/origin/pkg/security/securitycontextconstraints/capabilities"
"github.com/openshift/origin/pkg/security/securitycontextconstraints/group"
@@ -77,15 +76,7 @@ func NewSimpleProvider(scc *securityapi.SecurityContextConstraints) (SecurityCon
return nil, err
}
- var unsafeSysctls []string
- if ann, found := scc.Annotations[SysctlsPodSecurityPolicyAnnotationKey]; found {
- var err error
- unsafeSysctls, err = SysctlsFromPodSecurityPolicyAnnotation(ann)
- if err != nil {
- return nil, err
- }
- }
- sysctlsStrat, err := createSysctlsStrategy(sysctl.SafeSysctlWhitelist(), unsafeSysctls, []string{})
+ sysctlsStrat, err := createSysctlsStrategy(sysctl.SafeSysctlWhitelist(), scc.AllowedUnsafeSysctls, scc.ForbiddenSysctls)
if err != nil {
return nil, err
}
@@ -431,19 +422,7 @@ func createSeccompStrategy(allowedProfiles []string) (seccomp.SeccompStrategy, e
return seccomp.NewWithSeccompProfile(allowedProfiles)
}
-// createSysctlsStrategy creates a new unsafe sysctls strategy.
+// createSysctlsStrategy creates a new sysctls strategy
func createSysctlsStrategy(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls []string) (sysctl.SysctlsStrategy, error) {
return sysctl.NewMustMatchPatterns(safeWhitelist, allowedUnsafeSysctls, forbiddenSysctls), nil
}
-
-// TODO promote like kube did
-const SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls"
-
-// TODO promote like kube did
-func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error) {
- if len(annotation) == 0 {
- return []string{}, nil
- }
-
- return strings.Split(annotation, ","), nil
-}
diff --git a/pkg/security/securitycontextconstraints/provider_test.go b/pkg/security/securitycontextconstraints/provider_test.go
index bf27fb07a512..67c41dc4d912 100644
--- a/pkg/security/securitycontextconstraints/provider_test.go
+++ b/pkg/security/securitycontextconstraints/provider_test.go
@@ -199,6 +199,31 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
},
}
+ failSysctlDisallowedSCC := defaultSCC()
+ failSysctlDisallowedSCC.ForbiddenSysctls = []string{"kernel.shm_rmid_forced"}
+
+ failNoSafeSysctlAllowedSCC := defaultSCC()
+ failNoSafeSysctlAllowedSCC.ForbiddenSysctls = []string{"*"}
+
+ failAllUnsafeSysctlsSCC := defaultSCC()
+ failAllUnsafeSysctlsSCC.AllowedUnsafeSysctls = []string{}
+
+ failSafeSysctlKernelPod := defaultPod()
+ failSafeSysctlKernelPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+ {
+ Name: "kernel.shm_rmid_forced",
+ Value: "1",
+ },
+ }
+
+ failUnsafeSysctlPod := defaultPod()
+ failUnsafeSysctlPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+ {
+ Name: "kernel.sem",
+ Value: "32000",
+ },
+ }
+
errorCases := map[string]struct {
pod *api.Pod
scc *securityapi.SecurityContextConstraints
@@ -274,6 +299,21 @@ func TestValidatePodSecurityContextFailures(t *testing.T) {
scc: allowFlexVolumesSCC(false, true),
expectedError: "Flexvolume driver is not allowed to be used",
},
+ "failSafeSysctlKernelPod with failNoSafeSysctlAllowedSCC": {
+ pod: failSafeSysctlKernelPod,
+ scc: failNoSafeSysctlAllowedSCC,
+ expectedError: "sysctl \"kernel.shm_rmid_forced\" is not allowed",
+ },
+ "failSafeSysctlKernelPod with failSysctlDisallowedSCC": {
+ pod: failSafeSysctlKernelPod,
+ scc: failSysctlDisallowedSCC,
+ expectedError: "sysctl \"kernel.shm_rmid_forced\" is not allowed",
+ },
+ "failUnsafeSysctlPod with failAllUnsafeSysctlsSCC": {
+ pod: failUnsafeSysctlPod,
+ scc: failAllUnsafeSysctlsSCC,
+ expectedError: "unsafe sysctl \"kernel.sem\" is not allowed",
+ },
}
for k, v := range errorCases {
provider, err := NewSimpleProvider(v.scc)
@@ -494,6 +534,26 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
},
}
+ sysctlAllowAllSCC := defaultSCC()
+ sysctlAllowAllSCC.ForbiddenSysctls = []string{}
+ sysctlAllowAllSCC.AllowedUnsafeSysctls = []string{"*"}
+
+ safeSysctlKernelPod := defaultPod()
+ safeSysctlKernelPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+ {
+ Name: "kernel.shm_rmid_forced",
+ Value: "1",
+ },
+ }
+
+ unsafeSysctlKernelPod := defaultPod()
+ unsafeSysctlKernelPod.Spec.SecurityContext.Sysctls = []api.Sysctl{
+ {
+ Name: "kernel.sem",
+ Value: "32000",
+ },
+ }
+
successCases := map[string]struct {
pod *api.Pod
scc *securityapi.SecurityContextConstraints
@@ -554,6 +614,14 @@ func TestValidatePodSecurityContextSuccess(t *testing.T) {
pod: flexVolumePod,
scc: allowFlexVolumesSCC(true, false),
},
+ "pass sysctl specific profile with safe kernel sysctl": {
+ pod: safeSysctlKernelPod,
+ scc: sysctlAllowAllSCC,
+ },
+ "pass sysctl specific profile with unsafe kernel sysctl": {
+ pod: unsafeSysctlKernelPod,
+ scc: sysctlAllowAllSCC,
+ },
}
for k, v := range successCases {
diff --git a/test/extended/util/test.go b/test/extended/util/test.go
index 0d364b9f3ce0..eee5879f1a45 100644
--- a/test/extended/util/test.go
+++ b/test/extended/util/test.go
@@ -254,9 +254,6 @@ var (
// alpha test that shouldn't be run
`\[NodeAlphaFeature:VolumeSubpathEnvExpansion\]`,
- // sysctl tests that don't support SCC
- `\[NodeFeature:Sysctls\]`,
-
// not enabled in Origin yet
//`\[Feature:GarbageCollector\]`,
diff --git a/vendor/github.com/openshift/api/security/v1/generated.pb.go b/vendor/github.com/openshift/api/security/v1/generated.pb.go
index ac9cd63ba9f9..b8b67b9124ab 100644
--- a/vendor/github.com/openshift/api/security/v1/generated.pb.go
+++ b/vendor/github.com/openshift/api/security/v1/generated.pb.go
@@ -956,6 +956,40 @@ func (m *SecurityContextConstraints) MarshalTo(dAtA []byte) (int, error) {
}
i++
}
+ if len(m.AllowedUnsafeSysctls) > 0 {
+ for _, s := range m.AllowedUnsafeSysctls {
+ dAtA[i] = 0xc2
+ i++
+ dAtA[i] = 0x1
+ i++
+ l = len(s)
+ for l >= 1<<7 {
+ dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+ l >>= 7
+ i++
+ }
+ dAtA[i] = uint8(l)
+ i++
+ i += copy(dAtA[i:], s)
+ }
+ }
+ if len(m.ForbiddenSysctls) > 0 {
+ for _, s := range m.ForbiddenSysctls {
+ dAtA[i] = 0xca
+ i++
+ dAtA[i] = 0x1
+ i++
+ l = len(s)
+ for l >= 1<<7 {
+ dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+ l >>= 7
+ i++
+ }
+ dAtA[i] = uint8(l)
+ i++
+ i += copy(dAtA[i:], s)
+ }
+ }
return i, nil
}
@@ -1346,6 +1380,18 @@ func (m *SecurityContextConstraints) Size() (n int) {
if m.AllowPrivilegeEscalation != nil {
n += 3
}
+ if len(m.AllowedUnsafeSysctls) > 0 {
+ for _, s := range m.AllowedUnsafeSysctls {
+ l = len(s)
+ n += 2 + l + sovGenerated(uint64(l))
+ }
+ }
+ if len(m.ForbiddenSysctls) > 0 {
+ for _, s := range m.ForbiddenSysctls {
+ l = len(s)
+ n += 2 + l + sovGenerated(uint64(l))
+ }
+ }
return n
}
@@ -1595,6 +1641,8 @@ func (this *SecurityContextConstraints) String() string {
`AllowedFlexVolumes:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.AllowedFlexVolumes), "AllowedFlexVolume", "AllowedFlexVolume", 1), `&`, ``, 1) + `,`,
`DefaultAllowPrivilegeEscalation:` + valueToStringGenerated(this.DefaultAllowPrivilegeEscalation) + `,`,
`AllowPrivilegeEscalation:` + valueToStringGenerated(this.AllowPrivilegeEscalation) + `,`,
+ `AllowedUnsafeSysctls:` + fmt.Sprintf("%v", this.AllowedUnsafeSysctls) + `,`,
+ `ForbiddenSysctls:` + fmt.Sprintf("%v", this.ForbiddenSysctls) + `,`,
`}`,
}, "")
return s
@@ -3914,6 +3962,64 @@ func (m *SecurityContextConstraints) Unmarshal(dAtA []byte) error {
}
b := bool(v != 0)
m.AllowPrivilegeEscalation = &b
+ case 24:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field AllowedUnsafeSysctls", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowGenerated
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLengthGenerated
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.AllowedUnsafeSysctls = append(m.AllowedUnsafeSysctls, string(dAtA[iNdEx:postIndex]))
+ iNdEx = postIndex
+ case 25:
+ if wireType != 2 {
+ return fmt.Errorf("proto: wrong wireType = %d for field ForbiddenSysctls", wireType)
+ }
+ var stringLen uint64
+ for shift := uint(0); ; shift += 7 {
+ if shift >= 64 {
+ return ErrIntOverflowGenerated
+ }
+ if iNdEx >= l {
+ return io.ErrUnexpectedEOF
+ }
+ b := dAtA[iNdEx]
+ iNdEx++
+ stringLen |= (uint64(b) & 0x7F) << shift
+ if b < 0x80 {
+ break
+ }
+ }
+ intStringLen := int(stringLen)
+ if intStringLen < 0 {
+ return ErrInvalidLengthGenerated
+ }
+ postIndex := iNdEx + intStringLen
+ if postIndex > l {
+ return io.ErrUnexpectedEOF
+ }
+ m.ForbiddenSysctls = append(m.ForbiddenSysctls, string(dAtA[iNdEx:postIndex]))
+ iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -4375,112 +4481,116 @@ func init() {
}
var fileDescriptorGenerated = []byte{
- // 1708 bytes of a gzipped FileDescriptorProto
- 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0xcd, 0x6f, 0x1b, 0x4d,
- 0x19, 0xcf, 0xc6, 0xf9, 0xf2, 0x24, 0x4d, 0xd2, 0xc9, 0xdb, 0x74, 0x09, 0x8d, 0x1d, 0x36, 0xa5,
- 0x8a, 0x80, 0xda, 0xa4, 0x14, 0x5a, 0x54, 0x5a, 0xe1, 0x8d, 0x9b, 0x36, 0xa8, 0x1f, 0xee, 0xb8,
- 0xa9, 0x50, 0x55, 0x21, 0x26, 0xeb, 0x89, 0x33, 0xcd, 0x7e, 0xb1, 0x33, 0xeb, 0xc6, 0xe2, 0x52,
- 0x89, 0x0b, 0x07, 0x0e, 0x48, 0xdc, 0x39, 0xc3, 0x3f, 0xc0, 0x05, 0x01, 0xd7, 0x4a, 0x20, 0xd1,
- 0x13, 0xea, 0xc9, 0xa2, 0x46, 0x9c, 0x38, 0x72, 0xeb, 0x09, 0xcd, 0x78, 0xfc, 0xb1, 0xeb, 0x5d,
- 0xc7, 0x2d, 0x6d, 0xf5, 0xde, 0x76, 0x9f, 0x8f, 0xdf, 0xf3, 0x7b, 0x9e, 0x7d, 0x66, 0xe6, 0x99,
- 0x05, 0x57, 0xeb, 0x94, 0x1f, 0x85, 0x07, 0x05, 0xcb, 0x73, 0x8a, 0x9e, 0x4f, 0x5c, 0x76, 0x44,
- 0x0f, 0x79, 0x11, 0xfb, 0xb4, 0xc8, 0x88, 0x15, 0x06, 0x94, 0x37, 0x8b, 0x8d, 0xed, 0x62, 0x9d,
- 0xb8, 0x24, 0xc0, 0x9c, 0xd4, 0x0a, 0x7e, 0xe0, 0x71, 0x0f, 0x5e, 0xec, 0x7b, 0x15, 0x7a, 0x5e,
- 0x05, 0xec, 0xd3, 0x42, 0xd7, 0xab, 0xd0, 0xd8, 0x5e, 0xbb, 0x3c, 0x80, 0x5d, 0xf7, 0xea, 0x5e,
- 0x51, 0x3a, 0x1f, 0x84, 0x87, 0xf2, 0x4d, 0xbe, 0xc8, 0xa7, 0x0e, 0xe8, 0x9a, 0x71, 0x7c, 0x9d,
- 0x15, 0xa8, 0x27, 0x83, 0x5b, 0x5e, 0x40, 0x12, 0x02, 0xaf, 0x5d, 0xed, 0xdb, 0x38, 0xd8, 0x3a,
- 0xa2, 0x2e, 0x09, 0x9a, 0x45, 0xff, 0xb8, 0x2e, 0x04, 0xac, 0xe8, 0x10, 0x8e, 0x93, 0xbc, 0x8a,
- 0x69, 0x5e, 0x41, 0xe8, 0x72, 0xea, 0x90, 0x21, 0x87, 0xef, 0x9d, 0xe6, 0xc0, 0xac, 0x23, 0xe2,
- 0xe0, 0x21, 0xbf, 0xef, 0xa4, 0xf9, 0x85, 0x9c, 0xda, 0x45, 0xea, 0x72, 0xc6, 0x83, 0xb8, 0x93,
- 0x71, 0x03, 0x9c, 0x2d, 0xd9, 0xb6, 0xf7, 0x82, 0xd4, 0x76, 0x6d, 0x72, 0xf2, 0xc4, 0xb3, 0x43,
- 0x87, 0xc0, 0x4b, 0x60, 0xa6, 0x16, 0xd0, 0x06, 0x09, 0x74, 0x6d, 0x43, 0xdb, 0xca, 0x9a, 0x8b,
- 0xaf, 0x5a, 0xf9, 0x89, 0x76, 0x2b, 0x3f, 0x53, 0x96, 0x52, 0xa4, 0xb4, 0xc6, 0xef, 0x34, 0xb0,
- 0xba, 0x5b, 0xbd, 0x13, 0x78, 0xa1, 0x5f, 0xe5, 0x02, 0xb5, 0xde, 0x7c, 0xe8, 0x73, 0xea, 0xb9,
- 0x0c, 0x5e, 0x03, 0x53, 0xbc, 0xe9, 0x13, 0x05, 0xb0, 0xa9, 0x00, 0xa6, 0x1e, 0x37, 0x7d, 0xf2,
- 0xae, 0x95, 0x5f, 0x89, 0x79, 0x09, 0x31, 0x92, 0x0e, 0x70, 0x1f, 0xcc, 0x04, 0xd8, 0xad, 0x13,
- 0xa6, 0x4f, 0x6e, 0x64, 0xb6, 0xe6, 0xaf, 0x5c, 0x2e, 0x8c, 0xf3, 0xb9, 0x0b, 0x7b, 0x65, 0x24,
- 0xbc, 0xfa, 0x54, 0xe5, 0x2b, 0x43, 0x0a, 0xcc, 0xb8, 0x03, 0x66, 0x95, 0x09, 0x5c, 0x07, 0x19,
- 0x87, 0xba, 0x92, 0x59, 0xc6, 0x9c, 0x57, 0xf6, 0x99, 0xfb, 0xd4, 0x45, 0x42, 0x2e, 0xd5, 0xf8,
- 0x44, 0x9f, 0x8c, 0xa9, 0xf1, 0x09, 0x12, 0x72, 0xe3, 0x3f, 0x1a, 0x38, 0x5f, 0xf1, 0x6a, 0x55,
- 0x15, 0xbb, 0xe2, 0xd9, 0xd4, 0x6a, 0x22, 0xd2, 0xa0, 0xe4, 0x05, 0xb4, 0xc0, 0x14, 0xf3, 0x89,
- 0x25, 0xa1, 0xe7, 0xaf, 0x94, 0xc6, 0x63, 0x9e, 0x02, 0x56, 0xf5, 0x89, 0x65, 0x2e, 0x74, 0xeb,
- 0x26, 0xde, 0x90, 0x04, 0x87, 0xc7, 0x60, 0x86, 0x71, 0xcc, 0x43, 0x26, 0x29, 0xce, 0x5f, 0xd9,
- 0xf9, 0xff, 0xc2, 0x48, 0xa8, 0x7e, 0xd9, 0x3a, 0xef, 0x48, 0x85, 0x30, 0xfe, 0xa8, 0x81, 0xaf,
- 0x8e, 0x20, 0x08, 0x1f, 0x81, 0x39, 0x4e, 0x1c, 0xdf, 0xc6, 0x9c, 0xa8, 0xac, 0x37, 0x0b, 0x9d,
- 0x36, 0x94, 0x04, 0xc4, 0x4a, 0x52, 0xc1, 0x1f, 0x2b, 0x33, 0x99, 0xd7, 0xb2, 0x0a, 0x37, 0xd7,
- 0x95, 0xa2, 0x1e, 0x0c, 0xdc, 0x03, 0x2b, 0x8c, 0x04, 0x0d, 0x6a, 0x91, 0x92, 0x65, 0x79, 0xa1,
- 0xcb, 0x1f, 0x60, 0x47, 0x75, 0x43, 0xd6, 0x3c, 0xdf, 0x6e, 0xe5, 0x57, 0xaa, 0xc3, 0x6a, 0x94,
- 0xe4, 0x63, 0xfc, 0x55, 0x03, 0xeb, 0x23, 0xf3, 0x86, 0xbf, 0xd7, 0xc0, 0x2a, 0xee, 0xf4, 0x7f,
- 0x14, 0x95, 0xe9, 0x9a, 0x6c, 0xbf, 0x47, 0xe3, 0x55, 0x37, 0xea, 0x3c, 0xba, 0xd6, 0x39, 0x95,
- 0xfc, 0x6a, 0x29, 0x31, 0x30, 0x4a, 0x21, 0x64, 0xfc, 0x72, 0x12, 0x18, 0x43, 0xc8, 0x55, 0x62,
- 0x1f, 0x56, 0xc3, 0x83, 0xe7, 0xc4, 0xe2, 0xaa, 0x09, 0xdd, 0x48, 0x13, 0xde, 0xfb, 0xc0, 0xee,
- 0x18, 0xc2, 0x4d, 0xed, 0xc7, 0x20, 0xd6, 0x8f, 0x3f, 0xfa, 0xd0, 0x88, 0x91, 0x68, 0xa3, 0xdb,
- 0xf2, 0xe7, 0xe0, 0xd2, 0x78, 0x8c, 0x3f, 0x41, 0x83, 0x1a, 0x2f, 0x27, 0x41, 0x6e, 0x34, 0x7b,
- 0xf8, 0x3c, 0xf2, 0x0d, 0xee, 0x7e, 0x94, 0x8a, 0x7c, 0x99, 0xea, 0xff, 0x27, 0x2d, 0xa9, 0x15,
- 0x3f, 0x43, 0xf1, 0xe1, 0x06, 0x98, 0x0a, 0x19, 0x09, 0x64, 0xae, 0xd9, 0x7e, 0x3d, 0xf6, 0x19,
- 0x09, 0x90, 0xd4, 0x40, 0x03, 0xcc, 0xd4, 0xc5, 0xd9, 0xc2, 0xf4, 0x8c, 0xdc, 0x32, 0x80, 0xe0,
- 0x2f, 0x4f, 0x1b, 0x86, 0x94, 0xc6, 0xf8, 0xaf, 0x06, 0x2e, 0x8e, 0x53, 0x00, 0x58, 0x01, 0x59,
- 0xb5, 0x1a, 0xcd, 0xe6, 0xa8, 0x14, 0x1e, 0x2a, 0xd7, 0x43, 0x12, 0x10, 0xd7, 0x22, 0xe6, 0x99,
- 0x76, 0x2b, 0x9f, 0x2d, 0x75, 0x3d, 0x51, 0x1f, 0x44, 0x9c, 0xad, 0x01, 0xc1, 0xcc, 0x73, 0x55,
- 0x0a, 0xfd, 0x03, 0x4b, 0x4a, 0x91, 0xd2, 0x46, 0x6a, 0x97, 0xf9, 0x38, 0x8d, 0xfb, 0x07, 0x0d,
- 0x2c, 0xc9, 0x23, 0x50, 0x10, 0xb3, 0xb0, 0x38, 0xa8, 0xe1, 0x4f, 0xc1, 0x9c, 0x18, 0x5c, 0x6a,
- 0x98, 0x63, 0x95, 0xdf, 0xb7, 0x07, 0xc2, 0xf4, 0xe6, 0x88, 0x82, 0x7f, 0x5c, 0x17, 0x02, 0x56,
- 0x10, 0xd6, 0xfd, 0x8c, 0xef, 0x13, 0x8e, 0x4d, 0xa8, 0x62, 0x82, 0xbe, 0x0c, 0xf5, 0x50, 0xe1,
- 0x26, 0x98, 0x96, 0x67, 0xb0, 0xca, 0xf7, 0x8c, 0x32, 0x9e, 0x96, 0x4c, 0x50, 0x47, 0x07, 0x2f,
- 0x80, 0x29, 0x49, 0x41, 0x64, 0xba, 0x60, 0xce, 0x89, 0x4f, 0x5a, 0xc6, 0x1c, 0x23, 0x29, 0x35,
- 0xfe, 0xae, 0x81, 0x95, 0x18, 0xf1, 0x7b, 0x94, 0x71, 0xf8, 0x6c, 0x88, 0x7c, 0x61, 0x3c, 0xf2,
- 0xc2, 0x5b, 0x52, 0xef, 0x95, 0xab, 0x2b, 0x19, 0x20, 0xfe, 0x14, 0x4c, 0x53, 0x4e, 0x9c, 0xee,
- 0x20, 0xf2, 0xdd, 0xf1, 0xd6, 0x55, 0x8c, 0x67, 0x3f, 0xdf, 0x3d, 0x81, 0x85, 0x3a, 0x90, 0xc6,
- 0x3f, 0x34, 0xa0, 0xa3, 0xd0, 0x2d, 0x31, 0xd1, 0xb8, 0xf1, 0xd9, 0xe9, 0xfb, 0x91, 0xd9, 0xe9,
- 0xeb, 0xb1, 0xd9, 0xe9, 0xdc, 0x90, 0xdf, 0xc0, 0xf4, 0xf4, 0x15, 0x90, 0x09, 0x69, 0x4d, 0x0d,
- 0x2f, 0xb3, 0x62, 0x70, 0xd9, 0xdf, 0x2b, 0x23, 0x21, 0x83, 0xdb, 0x60, 0x3e, 0xa4, 0x35, 0x49,
- 0xef, 0x3e, 0x75, 0x65, 0xa5, 0x33, 0xe6, 0x52, 0xbb, 0x95, 0x9f, 0xdf, 0x57, 0x93, 0x91, 0x18,
- 0x81, 0x06, 0x6d, 0x22, 0x2e, 0xf8, 0x44, 0x9f, 0x4a, 0x70, 0xc1, 0x27, 0x68, 0xd0, 0xc6, 0xf8,
- 0x8b, 0x06, 0xd6, 0xab, 0xb7, 0xef, 0x51, 0x37, 0x3c, 0xd9, 0xf1, 0x5c, 0x4e, 0x4e, 0x78, 0x3c,
- 0xbb, 0x5b, 0x91, 0xec, 0xbe, 0x11, 0xcb, 0x6e, 0x2d, 0xd9, 0x79, 0x20, 0xc5, 0x9f, 0x80, 0x45,
- 0x46, 0xa4, 0x8d, 0x42, 0x54, 0xfb, 0x9e, 0x91, 0xb4, 0x3c, 0x14, 0x9a, 0xb2, 0x34, 0x61, 0xbb,
- 0x95, 0x5f, 0x8c, 0xca, 0x50, 0x0c, 0xcd, 0xf8, 0xd5, 0x32, 0x58, 0xeb, 0x6e, 0x0c, 0x8a, 0xc5,
- 0x8e, 0xe7, 0x32, 0x1e, 0x60, 0x31, 0x42, 0x7f, 0x86, 0x05, 0xb3, 0x05, 0xe6, 0xfc, 0x80, 0x7a,
- 0x22, 0xbe, 0x4c, 0x6d, 0xda, 0x5c, 0x10, 0x1d, 0x5a, 0x51, 0x32, 0xd4, 0xd3, 0xc2, 0x67, 0x40,
- 0x97, 0x1b, 0x4b, 0x25, 0xa0, 0x0d, 0x6a, 0x93, 0x3a, 0xa9, 0x09, 0xc2, 0x58, 0x10, 0x90, 0xdf,
- 0x77, 0xce, 0xdc, 0x50, 0x91, 0xf4, 0x52, 0x8a, 0x1d, 0x4a, 0x45, 0x80, 0x0c, 0xac, 0xd6, 0xc8,
- 0x21, 0x0e, 0x6d, 0x5e, 0xaa, 0xd5, 0x76, 0xb0, 0x8f, 0x0f, 0xa8, 0x4d, 0x39, 0x25, 0x4c, 0x9f,
- 0x92, 0x1b, 0xeb, 0x0d, 0x31, 0xc3, 0x94, 0x13, 0x2d, 0xde, 0xb5, 0xf2, 0xeb, 0xc3, 0x17, 0xaa,
- 0x42, 0xcf, 0xa4, 0x89, 0x52, 0xa0, 0x61, 0x13, 0xe8, 0x01, 0xf9, 0x59, 0x48, 0x03, 0x52, 0x2b,
- 0x07, 0x9e, 0x1f, 0x09, 0x3b, 0x2d, 0xc3, 0xde, 0x14, 0xe9, 0xa0, 0x14, 0x9b, 0xd3, 0x03, 0xa7,
- 0xc2, 0xc3, 0xe7, 0x60, 0x45, 0x6d, 0xd3, 0x91, 0xa8, 0x33, 0x32, 0xea, 0x75, 0x31, 0x78, 0x96,
- 0x86, 0xd5, 0xa7, 0x07, 0x4c, 0x02, 0xed, 0x7d, 0xb9, 0xbb, 0x1e, 0xe3, 0x65, 0x1a, 0x74, 0xee,
- 0x5d, 0x15, 0x3b, 0xac, 0x53, 0x57, 0x9f, 0x4d, 0xf8, 0x72, 0x09, 0x76, 0x28, 0x15, 0x01, 0x16,
- 0xc1, 0x6c, 0x43, 0xbe, 0x33, 0x7d, 0x4e, 0xb2, 0x3f, 0xd7, 0x6e, 0xe5, 0x67, 0x3b, 0x26, 0x82,
- 0xf1, 0xcc, 0x6e, 0x55, 0x2e, 0xa8, 0xae, 0x15, 0x2c, 0x83, 0xe5, 0x1e, 0xd8, 0x03, 0xc2, 0x5f,
- 0x78, 0xc1, 0xb1, 0x9e, 0x95, 0x34, 0x74, 0x45, 0x63, 0xb9, 0x14, 0xd3, 0xa3, 0x21, 0x0f, 0x78,
- 0x0b, 0x2c, 0xf6, 0x64, 0x15, 0x2f, 0xe0, 0x4c, 0x07, 0x12, 0x63, 0x55, 0x61, 0x2c, 0x96, 0x22,
- 0x5a, 0x14, 0xb3, 0x86, 0xd7, 0xc1, 0x42, 0x5f, 0xb2, 0x57, 0xd6, 0xe7, 0xa5, 0xf7, 0x17, 0xca,
- 0x7b, 0xa1, 0x34, 0xa0, 0x43, 0x11, 0xcb, 0x88, 0xe7, 0x5e, 0x65, 0x47, 0x5f, 0x48, 0xf1, 0xdc,
- 0xab, 0xec, 0xa0, 0x88, 0x25, 0xfc, 0x85, 0xd6, 0xdb, 0x4e, 0xd4, 0x62, 0xd7, 0xcf, 0xbc, 0xcf,
- 0xb5, 0x6a, 0xe4, 0x5e, 0xd7, 0xcf, 0x3c, 0x6a, 0x86, 0x62, 0x21, 0xa1, 0x07, 0xb2, 0x41, 0x77,
- 0x57, 0xd7, 0x17, 0x65, 0xfc, 0x5b, 0x63, 0x1e, 0x37, 0x29, 0x87, 0x88, 0x79, 0x56, 0x85, 0xce,
- 0xf6, 0x2c, 0x50, 0x3f, 0x06, 0xfc, 0x8d, 0x06, 0x20, 0x0b, 0x7d, 0xdf, 0x26, 0x0e, 0x71, 0x39,
- 0xb6, 0x3b, 0xf3, 0x91, 0xbe, 0x24, 0x43, 0xdf, 0x19, 0x33, 0xf5, 0x21, 0xff, 0x38, 0x87, 0x35,
- 0xc5, 0x01, 0x0e, 0x9b, 0xa2, 0x84, 0xf0, 0xb0, 0x0e, 0x66, 0x0f, 0x99, 0x7c, 0xd6, 0x97, 0x25,
- 0x93, 0x1f, 0x8c, 0xc7, 0x24, 0xf9, 0x1f, 0x84, 0xb9, 0xa4, 0xc2, 0xcf, 0x2a, 0x3d, 0xea, 0xa2,
- 0xc3, 0x27, 0x60, 0x35, 0x20, 0xb8, 0xf6, 0xd0, 0xb5, 0x9b, 0xc8, 0xf3, 0xf8, 0x2e, 0xb5, 0x09,
- 0x6b, 0x32, 0x4e, 0x1c, 0xfd, 0xac, 0xec, 0x9c, 0xde, 0x15, 0x0d, 0x25, 0x5a, 0xa1, 0x14, 0x6f,
- 0x98, 0x07, 0xd3, 0x62, 0x06, 0x65, 0x3a, 0x94, 0xcb, 0x2e, 0x2b, 0xce, 0x7d, 0x51, 0x6f, 0x86,
- 0x3a, 0xf2, 0x81, 0xe1, 0x74, 0x25, 0x6d, 0x38, 0x85, 0x37, 0xc1, 0x12, 0x23, 0x96, 0xe5, 0x39,
- 0x7e, 0x25, 0xf0, 0x0e, 0x05, 0xb8, 0xfe, 0x85, 0x34, 0x5e, 0x69, 0xb7, 0xf2, 0x4b, 0xd5, 0xa8,
- 0x0a, 0xc5, 0x6d, 0x45, 0x47, 0x43, 0x1c, 0xff, 0xa5, 0xc3, 0xf4, 0x73, 0x72, 0x88, 0xb9, 0x36,
- 0x5e, 0x41, 0x87, 0x7e, 0x09, 0xf5, 0x3f, 0xe5, 0x90, 0x8a, 0xa1, 0x84, 0x70, 0xd0, 0x01, 0xf9,
- 0xee, 0x0e, 0x1f, 0x39, 0x5f, 0x6e, 0x33, 0x0b, 0xdb, 0x72, 0x32, 0xd2, 0x57, 0x65, 0xa9, 0x37,
- 0xdb, 0xad, 0x7c, 0xbe, 0x3c, 0xda, 0x14, 0x9d, 0x86, 0x05, 0x7f, 0x1c, 0x3f, 0x09, 0x07, 0xe2,
- 0x9c, 0x97, 0x71, 0x2e, 0x0c, 0x9f, 0x82, 0x03, 0x01, 0x52, 0xbd, 0x8d, 0x7f, 0x6b, 0x20, 0x97,
- 0x3e, 0x0e, 0x7c, 0x86, 0x31, 0x94, 0x44, 0xc7, 0xd0, 0x1f, 0x8e, 0xfb, 0x43, 0x22, 0x8d, 0x72,
- 0xca, 0x44, 0xfa, 0xdb, 0x49, 0xf0, 0xcd, 0xf7, 0xf8, 0x8b, 0x01, 0xff, 0xa6, 0x81, 0x8b, 0xfe,
- 0x18, 0x57, 0x28, 0x55, 0x91, 0x8f, 0x79, 0x2b, 0xfd, 0x96, 0x4a, 0x60, 0xac, 0x2b, 0x1c, 0x1a,
- 0x8b, 0xa5, 0xb8, 0x57, 0xba, 0xd8, 0x21, 0xf1, 0x7b, 0xe5, 0x03, 0xec, 0x10, 0x24, 0x35, 0xc6,
- 0x9f, 0x35, 0xf0, 0xb5, 0x53, 0xb7, 0x3c, 0x68, 0x46, 0xa6, 0xdb, 0x42, 0x6c, 0xba, 0xcd, 0xa5,
- 0x03, 0x7c, 0xf2, 0x5f, 0xa0, 0xe6, 0xd6, 0xab, 0xb7, 0xb9, 0x89, 0xd7, 0x6f, 0x73, 0x13, 0x6f,
- 0xde, 0xe6, 0x26, 0x5e, 0xb6, 0x73, 0xda, 0xab, 0x76, 0x4e, 0x7b, 0xdd, 0xce, 0x69, 0x6f, 0xda,
- 0x39, 0xed, 0x9f, 0xed, 0x9c, 0xf6, 0xeb, 0x7f, 0xe5, 0x26, 0x9e, 0x4e, 0x36, 0xb6, 0xff, 0x17,
- 0x00, 0x00, 0xff, 0xff, 0x73, 0x3b, 0x40, 0x35, 0x98, 0x17, 0x00, 0x00,
+ // 1765 bytes of a gzipped FileDescriptorProto
+ 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x58, 0xcd, 0x6f, 0x24, 0x47,
+ 0x15, 0x77, 0x7b, 0xfc, 0x35, 0x65, 0xaf, 0x3f, 0xca, 0x5e, 0x6f, 0xc7, 0xc4, 0x33, 0xa6, 0xbd,
+ 0x44, 0x16, 0x90, 0x19, 0xbc, 0x04, 0xb2, 0x28, 0x64, 0x95, 0x69, 0x4f, 0xbc, 0x31, 0xf2, 0xee,
+ 0x4e, 0x6a, 0xe2, 0x08, 0x45, 0x11, 0xa2, 0xdc, 0x53, 0x33, 0xae, 0x75, 0x7f, 0xd1, 0x55, 0x3d,
+ 0xeb, 0x11, 0x97, 0x48, 0x5c, 0x38, 0x22, 0x71, 0x45, 0x9c, 0xe1, 0x1f, 0xe0, 0x82, 0x80, 0xeb,
+ 0x4a, 0x20, 0x91, 0x13, 0xca, 0x69, 0xc4, 0x0e, 0xe2, 0xc4, 0x91, 0x5b, 0x4e, 0xa8, 0x6a, 0x6a,
+ 0x3e, 0xfa, 0x6b, 0x3c, 0x09, 0xbb, 0xab, 0xdc, 0x66, 0xde, 0x7b, 0xbf, 0xdf, 0xfb, 0xbd, 0xea,
+ 0xd7, 0x55, 0xaf, 0x1a, 0xbc, 0xd1, 0xa2, 0xfc, 0x22, 0x3c, 0x2f, 0x59, 0x9e, 0x53, 0xf6, 0x7c,
+ 0xe2, 0xb2, 0x0b, 0xda, 0xe4, 0x65, 0xec, 0xd3, 0x32, 0x23, 0x56, 0x18, 0x50, 0xde, 0x29, 0xb7,
+ 0x0f, 0xcb, 0x2d, 0xe2, 0x92, 0x00, 0x73, 0xd2, 0x28, 0xf9, 0x81, 0xc7, 0x3d, 0x78, 0x7b, 0x84,
+ 0x2a, 0x0d, 0x51, 0x25, 0xec, 0xd3, 0xd2, 0x00, 0x55, 0x6a, 0x1f, 0xee, 0xbc, 0x3e, 0xc6, 0xdd,
+ 0xf2, 0x5a, 0x5e, 0x59, 0x82, 0xcf, 0xc3, 0xa6, 0xfc, 0x27, 0xff, 0xc8, 0x5f, 0x7d, 0xd2, 0x1d,
+ 0xe3, 0xf2, 0x2e, 0x2b, 0x51, 0x4f, 0x26, 0xb7, 0xbc, 0x80, 0xa4, 0x24, 0xde, 0x79, 0x63, 0x14,
+ 0xe3, 0x60, 0xeb, 0x82, 0xba, 0x24, 0xe8, 0x94, 0xfd, 0xcb, 0x96, 0x30, 0xb0, 0xb2, 0x43, 0x38,
+ 0x4e, 0x43, 0x95, 0xb3, 0x50, 0x41, 0xe8, 0x72, 0xea, 0x90, 0x04, 0xe0, 0xfb, 0xd7, 0x01, 0x98,
+ 0x75, 0x41, 0x1c, 0x9c, 0xc0, 0x7d, 0x37, 0x0b, 0x17, 0x72, 0x6a, 0x97, 0xa9, 0xcb, 0x19, 0x0f,
+ 0xe2, 0x20, 0xe3, 0x2d, 0xb0, 0x51, 0xb1, 0x6d, 0xef, 0x09, 0x69, 0x1c, 0xdb, 0xe4, 0xea, 0x43,
+ 0xcf, 0x0e, 0x1d, 0x02, 0x5f, 0x03, 0x0b, 0x8d, 0x80, 0xb6, 0x49, 0xa0, 0x6b, 0x7b, 0xda, 0x41,
+ 0xde, 0x5c, 0x7d, 0xda, 0x2d, 0xce, 0xf4, 0xba, 0xc5, 0x85, 0xaa, 0xb4, 0x22, 0xe5, 0x35, 0x7e,
+ 0xa7, 0x81, 0xed, 0xe3, 0xfa, 0xfd, 0xc0, 0x0b, 0xfd, 0x3a, 0x17, 0xac, 0xad, 0xce, 0x23, 0x9f,
+ 0x53, 0xcf, 0x65, 0xf0, 0x4d, 0x30, 0xc7, 0x3b, 0x3e, 0x51, 0x04, 0xfb, 0x8a, 0x60, 0xee, 0x83,
+ 0x8e, 0x4f, 0x3e, 0xef, 0x16, 0x37, 0x63, 0x28, 0x61, 0x46, 0x12, 0x00, 0xcf, 0xc0, 0x42, 0x80,
+ 0xdd, 0x16, 0x61, 0xfa, 0xec, 0x5e, 0xee, 0x60, 0xf9, 0xce, 0xeb, 0xa5, 0x69, 0x1e, 0x77, 0xe9,
+ 0xa4, 0x8a, 0x04, 0x6a, 0x24, 0x55, 0xfe, 0x65, 0x48, 0x91, 0x19, 0xf7, 0xc1, 0xa2, 0x0a, 0x81,
+ 0xbb, 0x20, 0xe7, 0x50, 0x57, 0x2a, 0xcb, 0x99, 0xcb, 0x2a, 0x3e, 0xf7, 0x80, 0xba, 0x48, 0xd8,
+ 0xa5, 0x1b, 0x5f, 0xe9, 0xb3, 0x31, 0x37, 0xbe, 0x42, 0xc2, 0x6e, 0xfc, 0x47, 0x03, 0xb7, 0x6a,
+ 0x5e, 0xa3, 0xae, 0x72, 0xd7, 0x3c, 0x9b, 0x5a, 0x1d, 0x44, 0xda, 0x94, 0x3c, 0x81, 0x16, 0x98,
+ 0x63, 0x3e, 0xb1, 0x24, 0xf5, 0xf2, 0x9d, 0xca, 0x74, 0xca, 0x33, 0xc8, 0xea, 0x3e, 0xb1, 0xcc,
+ 0x95, 0xc1, 0xba, 0x89, 0x7f, 0x48, 0x92, 0xc3, 0x4b, 0xb0, 0xc0, 0x38, 0xe6, 0x21, 0x93, 0x12,
+ 0x97, 0xef, 0x1c, 0xfd, 0x7f, 0x69, 0x24, 0xd5, 0x68, 0xd9, 0xfa, 0xff, 0x91, 0x4a, 0x61, 0xfc,
+ 0x51, 0x03, 0x5f, 0x9b, 0x20, 0x10, 0xbe, 0x0f, 0x96, 0x38, 0x71, 0x7c, 0x1b, 0x73, 0xa2, 0xaa,
+ 0xde, 0x2f, 0xf5, 0xdb, 0x50, 0x0a, 0x10, 0x6f, 0x92, 0x4a, 0xfe, 0x81, 0x0a, 0x93, 0x75, 0xad,
+ 0xab, 0x74, 0x4b, 0x03, 0x2b, 0x1a, 0xd2, 0xc0, 0x13, 0xb0, 0xc9, 0x48, 0xd0, 0xa6, 0x16, 0xa9,
+ 0x58, 0x96, 0x17, 0xba, 0xfc, 0x21, 0x76, 0x54, 0x37, 0xe4, 0xcd, 0x5b, 0xbd, 0x6e, 0x71, 0xb3,
+ 0x9e, 0x74, 0xa3, 0x34, 0x8c, 0xf1, 0x57, 0x0d, 0xec, 0x4e, 0xac, 0x1b, 0xfe, 0x5e, 0x03, 0xdb,
+ 0xb8, 0xdf, 0xff, 0x51, 0x56, 0xa6, 0x6b, 0xb2, 0xfd, 0xde, 0x9f, 0x6e, 0x75, 0xa3, 0xe0, 0xc9,
+ 0x6b, 0x5d, 0x50, 0xc5, 0x6f, 0x57, 0x52, 0x13, 0xa3, 0x0c, 0x41, 0xc6, 0x2f, 0x67, 0x81, 0x91,
+ 0x60, 0xae, 0x13, 0xbb, 0x59, 0x0f, 0xcf, 0x1f, 0x13, 0x8b, 0xab, 0x26, 0x74, 0x23, 0x4d, 0x78,
+ 0xfa, 0x25, 0xbb, 0x23, 0xc1, 0x9b, 0xd9, 0x8f, 0x41, 0xac, 0x1f, 0x7f, 0xf4, 0x65, 0x33, 0x46,
+ 0xb2, 0x4d, 0x6e, 0xcb, 0x9f, 0x83, 0xd7, 0xa6, 0x53, 0xfc, 0x02, 0x1a, 0xd4, 0xf8, 0x64, 0x16,
+ 0x14, 0x26, 0xab, 0x87, 0x8f, 0x23, 0xcf, 0xe0, 0xbd, 0xe7, 0xb2, 0x22, 0x5f, 0xa5, 0xf5, 0xff,
+ 0x93, 0x96, 0xd6, 0x8a, 0x2f, 0x61, 0xf1, 0xe1, 0x1e, 0x98, 0x0b, 0x19, 0x09, 0x64, 0xad, 0xf9,
+ 0xd1, 0x7a, 0x9c, 0x31, 0x12, 0x20, 0xe9, 0x81, 0x06, 0x58, 0x68, 0x89, 0xb3, 0x85, 0xe9, 0x39,
+ 0xb9, 0x65, 0x00, 0xa1, 0x5f, 0x9e, 0x36, 0x0c, 0x29, 0x8f, 0xf1, 0x5f, 0x0d, 0xdc, 0x9e, 0x66,
+ 0x01, 0x60, 0x0d, 0xe4, 0xd5, 0xdb, 0x68, 0x76, 0x26, 0x95, 0xf0, 0x48, 0x41, 0x9b, 0x24, 0x20,
+ 0xae, 0x45, 0xcc, 0x1b, 0xbd, 0x6e, 0x31, 0x5f, 0x19, 0x20, 0xd1, 0x88, 0x44, 0x9c, 0xad, 0x01,
+ 0xc1, 0xcc, 0x73, 0x55, 0x09, 0xa3, 0x03, 0x4b, 0x5a, 0x91, 0xf2, 0x46, 0xd6, 0x2e, 0xf7, 0x7c,
+ 0x1a, 0xf7, 0x0f, 0x1a, 0x58, 0x93, 0x47, 0xa0, 0x10, 0x66, 0x61, 0x71, 0x50, 0xc3, 0x9f, 0x82,
+ 0x25, 0x31, 0xb8, 0x34, 0x30, 0xc7, 0xaa, 0xbe, 0xef, 0x8c, 0xa5, 0x19, 0xce, 0x11, 0x25, 0xff,
+ 0xb2, 0x25, 0x0c, 0xac, 0x24, 0xa2, 0x47, 0x15, 0x3f, 0x20, 0x1c, 0x9b, 0x50, 0xe5, 0x04, 0x23,
+ 0x1b, 0x1a, 0xb2, 0xc2, 0x7d, 0x30, 0x2f, 0xcf, 0x60, 0x55, 0xef, 0x0d, 0x15, 0x3c, 0x2f, 0x95,
+ 0xa0, 0xbe, 0x0f, 0xbe, 0x0a, 0xe6, 0xa4, 0x04, 0x51, 0xe9, 0x8a, 0xb9, 0x24, 0x1e, 0x69, 0x15,
+ 0x73, 0x8c, 0xa4, 0xd5, 0xf8, 0xbb, 0x06, 0x36, 0x63, 0xc2, 0x4f, 0x29, 0xe3, 0xf0, 0xe3, 0x84,
+ 0xf8, 0xd2, 0x74, 0xe2, 0x05, 0x5a, 0x4a, 0x1f, 0x2e, 0xd7, 0xc0, 0x32, 0x26, 0xfc, 0x23, 0x30,
+ 0x4f, 0x39, 0x71, 0x06, 0x83, 0xc8, 0xf7, 0xa6, 0x7b, 0xaf, 0x62, 0x3a, 0x47, 0xf5, 0x9e, 0x08,
+ 0x2e, 0xd4, 0xa7, 0x34, 0xfe, 0xa1, 0x01, 0x1d, 0x85, 0x6e, 0x85, 0x89, 0xc6, 0x8d, 0xcf, 0x4e,
+ 0x3f, 0x88, 0xcc, 0x4e, 0xdf, 0x88, 0xcd, 0x4e, 0x37, 0x13, 0xb8, 0xb1, 0xe9, 0xe9, 0x15, 0x90,
+ 0x0b, 0x69, 0x43, 0x0d, 0x2f, 0x8b, 0x62, 0x70, 0x39, 0x3b, 0xa9, 0x22, 0x61, 0x83, 0x87, 0x60,
+ 0x39, 0xa4, 0x0d, 0x29, 0xef, 0x01, 0x75, 0xe5, 0x4a, 0xe7, 0xcc, 0xb5, 0x5e, 0xb7, 0xb8, 0x7c,
+ 0xa6, 0x26, 0x23, 0x31, 0x02, 0x8d, 0xc7, 0x44, 0x20, 0xf8, 0x4a, 0x9f, 0x4b, 0x81, 0xe0, 0x2b,
+ 0x34, 0x1e, 0x63, 0xfc, 0x45, 0x03, 0xbb, 0xf5, 0x77, 0x4f, 0xa9, 0x1b, 0x5e, 0x1d, 0x79, 0x2e,
+ 0x27, 0x57, 0x3c, 0x5e, 0xdd, 0xbd, 0x48, 0x75, 0xdf, 0x8c, 0x55, 0xb7, 0x93, 0x0e, 0x1e, 0x2b,
+ 0xf1, 0x27, 0x60, 0x95, 0x11, 0x19, 0xa3, 0x18, 0xd5, 0xbe, 0x67, 0xa4, 0xbd, 0x1e, 0x8a, 0x4d,
+ 0x45, 0x9a, 0xb0, 0xd7, 0x2d, 0xae, 0x46, 0x6d, 0x28, 0xc6, 0x66, 0xfc, 0x66, 0x03, 0xec, 0x0c,
+ 0x36, 0x06, 0xa5, 0xe2, 0xc8, 0x73, 0x19, 0x0f, 0xb0, 0x18, 0xa1, 0x5f, 0xc2, 0x0b, 0x73, 0x00,
+ 0x96, 0xfc, 0x80, 0x7a, 0x22, 0xbf, 0x2c, 0x6d, 0xde, 0x5c, 0x11, 0x1d, 0x5a, 0x53, 0x36, 0x34,
+ 0xf4, 0xc2, 0x8f, 0x81, 0x2e, 0x37, 0x96, 0x5a, 0x40, 0xdb, 0xd4, 0x26, 0x2d, 0xd2, 0x10, 0x82,
+ 0xb1, 0x10, 0x20, 0x9f, 0xef, 0x92, 0xb9, 0xa7, 0x32, 0xe9, 0x95, 0x8c, 0x38, 0x94, 0xc9, 0x00,
+ 0x19, 0xd8, 0x6e, 0x90, 0x26, 0x0e, 0x6d, 0x5e, 0x69, 0x34, 0x8e, 0xb0, 0x8f, 0xcf, 0xa9, 0x4d,
+ 0x39, 0x25, 0x4c, 0x9f, 0x93, 0x1b, 0xeb, 0x5b, 0x62, 0x86, 0xa9, 0xa6, 0x46, 0x7c, 0xde, 0x2d,
+ 0xee, 0x26, 0x2f, 0x54, 0xa5, 0x61, 0x48, 0x07, 0x65, 0x50, 0xc3, 0x0e, 0xd0, 0x03, 0xf2, 0xb3,
+ 0x90, 0x06, 0xa4, 0x51, 0x0d, 0x3c, 0x3f, 0x92, 0x76, 0x5e, 0xa6, 0x7d, 0x5b, 0x94, 0x83, 0x32,
+ 0x62, 0xae, 0x4f, 0x9c, 0x49, 0x0f, 0x1f, 0x83, 0x4d, 0xb5, 0x4d, 0x47, 0xb2, 0x2e, 0xc8, 0xac,
+ 0x77, 0xc5, 0xe0, 0x59, 0x49, 0xba, 0xaf, 0x4f, 0x98, 0x46, 0x3a, 0x7c, 0x72, 0xef, 0x79, 0x8c,
+ 0x57, 0x69, 0xd0, 0xbf, 0x77, 0xd5, 0xec, 0xb0, 0x45, 0x5d, 0x7d, 0x31, 0xe5, 0xc9, 0xa5, 0xc4,
+ 0xa1, 0x4c, 0x06, 0x58, 0x06, 0x8b, 0x6d, 0xf9, 0x9f, 0xe9, 0x4b, 0x52, 0xfd, 0xcd, 0x5e, 0xb7,
+ 0xb8, 0xd8, 0x0f, 0x11, 0x8a, 0x17, 0x8e, 0xeb, 0xf2, 0x85, 0x1a, 0x44, 0xc1, 0x2a, 0x58, 0x1f,
+ 0x92, 0x3d, 0x24, 0xfc, 0x89, 0x17, 0x5c, 0xea, 0x79, 0x29, 0x43, 0x57, 0x32, 0xd6, 0x2b, 0x31,
+ 0x3f, 0x4a, 0x20, 0xe0, 0x3d, 0xb0, 0x3a, 0xb4, 0xd5, 0xbc, 0x80, 0x33, 0x1d, 0x48, 0x8e, 0x6d,
+ 0xc5, 0xb1, 0x5a, 0x89, 0x78, 0x51, 0x2c, 0x1a, 0xde, 0x05, 0x2b, 0x23, 0xcb, 0x49, 0x55, 0x5f,
+ 0x96, 0xe8, 0x2d, 0x85, 0x5e, 0xa9, 0x8c, 0xf9, 0x50, 0x24, 0x32, 0x82, 0x3c, 0xa9, 0x1d, 0xe9,
+ 0x2b, 0x19, 0xc8, 0x93, 0xda, 0x11, 0x8a, 0x44, 0xc2, 0x5f, 0x68, 0xc3, 0xed, 0x44, 0xbd, 0xec,
+ 0xfa, 0x8d, 0x2f, 0x72, 0xad, 0x9a, 0xb8, 0xd7, 0x8d, 0x2a, 0x8f, 0x86, 0xa1, 0x58, 0x4a, 0xe8,
+ 0x81, 0x7c, 0x30, 0xd8, 0xd5, 0xf5, 0x55, 0x99, 0xff, 0xde, 0x94, 0xc7, 0x4d, 0xc6, 0x21, 0x62,
+ 0x6e, 0xa8, 0xd4, 0xf9, 0x61, 0x04, 0x1a, 0xe5, 0x80, 0xbf, 0xd6, 0x00, 0x64, 0xa1, 0xef, 0xdb,
+ 0xc4, 0x21, 0x2e, 0xc7, 0x76, 0x7f, 0x3e, 0xd2, 0xd7, 0x64, 0xea, 0xfb, 0x53, 0x96, 0x9e, 0xc0,
+ 0xc7, 0x35, 0xec, 0x28, 0x0d, 0x30, 0x19, 0x8a, 0x52, 0xd2, 0xc3, 0x16, 0x58, 0x6c, 0x32, 0xf9,
+ 0x5b, 0x5f, 0x97, 0x4a, 0x7e, 0x38, 0x9d, 0x92, 0xf4, 0x6f, 0x10, 0xe6, 0x9a, 0x4a, 0xbf, 0xa8,
+ 0xfc, 0x68, 0xc0, 0x0e, 0x3f, 0x04, 0xdb, 0x01, 0xc1, 0x8d, 0x47, 0xae, 0xdd, 0x41, 0x9e, 0xc7,
+ 0x8f, 0xa9, 0x4d, 0x58, 0x87, 0x71, 0xe2, 0xe8, 0x1b, 0xb2, 0x73, 0x86, 0x57, 0x34, 0x94, 0x1a,
+ 0x85, 0x32, 0xd0, 0xb0, 0x08, 0xe6, 0xc5, 0x0c, 0xca, 0x74, 0x28, 0x5f, 0xbb, 0xbc, 0x38, 0xf7,
+ 0xc5, 0x7a, 0x33, 0xd4, 0xb7, 0x8f, 0x0d, 0xa7, 0x9b, 0x59, 0xc3, 0x29, 0x7c, 0x1b, 0xac, 0x31,
+ 0x62, 0x59, 0x9e, 0xe3, 0xd7, 0x02, 0xaf, 0x29, 0xc8, 0xf5, 0x2d, 0x19, 0xbc, 0xd9, 0xeb, 0x16,
+ 0xd7, 0xea, 0x51, 0x17, 0x8a, 0xc7, 0x8a, 0x8e, 0x86, 0x38, 0xfe, 0x49, 0x87, 0xe9, 0x37, 0xe5,
+ 0x10, 0xf3, 0xe6, 0x74, 0x0b, 0x9a, 0xf8, 0x24, 0x34, 0x7a, 0x94, 0x09, 0x17, 0x43, 0x29, 0xe9,
+ 0xa0, 0x03, 0x8a, 0x83, 0x1d, 0x3e, 0x72, 0xbe, 0xbc, 0xcb, 0x2c, 0x6c, 0xcb, 0xc9, 0x48, 0xdf,
+ 0x96, 0x4b, 0xbd, 0xdf, 0xeb, 0x16, 0x8b, 0xd5, 0xc9, 0xa1, 0xe8, 0x3a, 0x2e, 0xf8, 0xe3, 0xf8,
+ 0x49, 0x38, 0x96, 0xe7, 0x96, 0xcc, 0xf3, 0x6a, 0xf2, 0x14, 0x1c, 0x4b, 0x90, 0x89, 0x86, 0xa7,
+ 0x60, 0x4b, 0x95, 0x77, 0xe6, 0x32, 0xdc, 0x24, 0xf5, 0x0e, 0xb3, 0xb8, 0xcd, 0x74, 0x5d, 0x3e,
+ 0x12, 0xbd, 0xd7, 0x2d, 0x6e, 0x55, 0x52, 0xfc, 0x28, 0x15, 0x05, 0xdf, 0x01, 0xeb, 0x4d, 0x2f,
+ 0x38, 0xa7, 0x8d, 0x06, 0x71, 0x07, 0x4c, 0xaf, 0x48, 0xa6, 0x2d, 0xb1, 0xc9, 0x1e, 0xc7, 0x7c,
+ 0x28, 0x11, 0x6d, 0xfc, 0x5b, 0x03, 0x85, 0xec, 0xf1, 0xe4, 0x25, 0x8c, 0xc5, 0x24, 0x3a, 0x16,
+ 0xbf, 0x33, 0xed, 0x07, 0x92, 0x2c, 0xc9, 0x19, 0x13, 0xf2, 0x6f, 0x67, 0xc1, 0xb7, 0xbe, 0xc0,
+ 0x57, 0x15, 0xf8, 0x37, 0x0d, 0xdc, 0xf6, 0xa7, 0xb8, 0xd2, 0xa9, 0x15, 0x79, 0x9e, 0xb7, 0xe4,
+ 0x6f, 0xab, 0x02, 0xa6, 0xba, 0x52, 0xa2, 0xa9, 0x54, 0x8a, 0x7b, 0xae, 0x8b, 0x1d, 0x12, 0xbf,
+ 0xe7, 0x3e, 0xc4, 0x0e, 0x41, 0xd2, 0x63, 0xfc, 0x59, 0x03, 0x5f, 0xbf, 0x76, 0x0b, 0x86, 0x66,
+ 0x64, 0xda, 0x2e, 0xc5, 0xa6, 0xed, 0x42, 0x36, 0xc1, 0x0b, 0xff, 0x24, 0x6b, 0x1e, 0x3c, 0x7d,
+ 0x56, 0x98, 0xf9, 0xf4, 0x59, 0x61, 0xe6, 0xb3, 0x67, 0x85, 0x99, 0x4f, 0x7a, 0x05, 0xed, 0x69,
+ 0xaf, 0xa0, 0x7d, 0xda, 0x2b, 0x68, 0x9f, 0xf5, 0x0a, 0xda, 0x3f, 0x7b, 0x05, 0xed, 0x57, 0xff,
+ 0x2a, 0xcc, 0x7c, 0x34, 0xdb, 0x3e, 0xfc, 0x5f, 0x00, 0x00, 0x00, 0xff, 0xff, 0xed, 0x9b, 0x5c,
+ 0xac, 0x28, 0x18, 0x00, 0x00,
}
diff --git a/vendor/github.com/openshift/api/security/v1/generated.proto b/vendor/github.com/openshift/api/security/v1/generated.proto
index ee508a8851c5..2823b9fb3809 100644
--- a/vendor/github.com/openshift/api/security/v1/generated.proto
+++ b/vendor/github.com/openshift/api/security/v1/generated.proto
@@ -281,6 +281,27 @@ message SecurityContextConstraints {
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
repeated string seccompProfiles = 20;
+
+ // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+ // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+ //
+ // Examples:
+ // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string allowedUnsafeSysctls = 24;
+
+ // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+ //
+ // Examples:
+ // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string forbiddenSysctls = 25;
}
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
diff --git a/vendor/github.com/openshift/api/security/v1/types.go b/vendor/github.com/openshift/api/security/v1/types.go
index c5cde5842955..ad3a3ca80591 100644
--- a/vendor/github.com/openshift/api/security/v1/types.go
+++ b/vendor/github.com/openshift/api/security/v1/types.go
@@ -104,6 +104,26 @@ type SecurityContextConstraints struct {
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
SeccompProfiles []string `json:"seccompProfiles,omitempty" protobuf:"bytes,20,opt,name=seccompProfiles"`
+
+ // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+ // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+ //
+ // Examples:
+ // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+ // +optional
+ AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,24,rep,name=allowedUnsafeSysctls"`
+ // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+ //
+ // Examples:
+ // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+ // +optional
+ ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,25,rep,name=forbiddenSysctls"`
}
// FS Type gives strong typing to different file systems that are used by volumes.
diff --git a/vendor/github.com/openshift/api/security/v1/types_swagger_doc_generated.go b/vendor/github.com/openshift/api/security/v1/types_swagger_doc_generated.go
index 9a84ba4a6068..8f1c41f4158d 100644
--- a/vendor/github.com/openshift/api/security/v1/types_swagger_doc_generated.go
+++ b/vendor/github.com/openshift/api/security/v1/types_swagger_doc_generated.go
@@ -188,6 +188,8 @@ var map_SecurityContextConstraints = map[string]string{
"users": "The users who have permissions to use this security context constraints",
"groups": "The groups that have permission to use this security context constraints",
"seccompProfiles": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default.",
+ "allowedUnsafeSysctls": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
+ "forbiddenSysctls": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
}
func (SecurityContextConstraints) SwaggerDoc() map[string]string {
diff --git a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go
index 6c76c28414d4..892ecc4d3521 100644
--- a/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go
+++ b/vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go
@@ -461,6 +461,16 @@ func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstrain
*out = make([]string, len(*in))
copy(*out, *in)
}
+ if in.AllowedUnsafeSysctls != nil {
+ in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+ if in.ForbiddenSysctls != nil {
+ in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
return
}