Thanks for your pull request. It looks like this may be your first contribution to a Google open source project, in which case you'll need to sign a Contributor License Agreement (CLA).

📝 Please visit https://cla.developers.google.com/ to sign.

Once you've signed, please reply here (e.g. I signed it!) and we'll verify. Thanks.

• If you've already signed a CLA, it's possible we don't have your GitHub username or you're using a different email address. Check your existing CLA data and verify that your email is set on your git commits.
• If you signed the CLA as a corporation, please let us know the company's name.

Suggest:

• internal representation should only have container.securityContext.privileged, not container.privileged, and so on.
• v1beta3, etc, have both
• conversion from v1beta3 to internal fails on mismatch.
• conversion from internal to v1beta3 fills in both.
• conversion and check happen in pkg/api/v1beta*/conversion.go
• in a future version > v1beta3, we drop the container.privileged field.

@bgrant0607 check above statements if you have time.

10-4 - on it

@erictune's proposal is correct. See container resources for an example where we used this approach.

Conversion happens before admission control, and conversion sets corresponding values in SecurityContext if pod.privileged or pod.capabilities is set. SecurityContextDeny disallows pods with any values set in SecurityContext. So, are all pods with pod.privileged or pod.capabilities denied? I think that is okay, but just wanted to clarify my understanding.

Almost there...

whew - git reflog saved me.

@erictune the suggestion to move the check to the conversion really cleaned this up. The defaulting happens in the default.go of each v1beta* now. If an SC is already set then it won't be changed. The conversion errors if the container fields don't match the SC fields that exist. Otherwise a normal conversion occurs. Validation is left to do normal validation-y checks.

Descriptions have been added to all fields in the feedback commit.

@yifan-gu, @jonboulle - I removed the direct references to the docker options in the comments for everything except disabled. Perhaps disabled doesn't even need to be there, if you aren't specifying labels then maybe we just take no action. If you have thoughts on how to express this better please let me know.

Thanks for the feedback so far.

Conversion happens before admission control, and conversion sets corresponding values in SecurityContext if pod.privileged or pod.capabilities is set. SecurityContextDeny disallows pods with any values set in SecurityContext. So, are all pods with pod.privileged or pod.capabilities denied? I think that is okay, but just wanted to clarify my understanding.

As it stand right now, yes, it would. It creates a conflict I didn't think of, the internal api is now completely based on SecurityContext but anything with SecurityContext is denied. I'll fix that first thing tomorrow. I'll allow a SecurityContext if it only has Privileged and Caps set. Good catch.

This LGTM but needs to be squashed. Until #7779 goes in, we'll have to do the swagger changes as a separate PR.

Okay, even with #7779 merged, there is still an upstream go-restful bug that makes the validation tests break after the swagger spec is regenerated. We need that fixed before we can regen the swagger spec after this.

Actually, I think I was wrong. I ran the script locally and it produced the correct output.

LGTM. I will merge on green.

Merged

This was reverted, and was the cause of #7805. See there for more context.

For the record, the revert was itself reverted.

It was verted.

On May 5, 2015, at 8:12 PM, Paul Morie notifications@github.com wrote:

For the record, the revert was itself reverted.

—
Reply to this email directly or view it on GitHub.