* Pod terminationGracePeriodSeconds is always valid
Validation of a pod spec will always use the pod's
TerminationGracePeriodSeconds value.
A set of pod test-helpers have been created to help construct Pods.
* remove unused func
* reduction
* reduce 2
* simplify test
* report invalid grace period
* update SupplementalGroupPolicy tests
When replacing the deterministic ResourceClaim name with a generated one this
particular piece of the original validation was incorrectly left in place.
It's not required anymore that "<pod name>-<claim name in pod spec>" is a valid
ResourceClaim name.
The 'DefaultProcMount' string is the name of the variable, but the
actual value is 'Default'.
Signed-off-by: Arturo Borrero Gonzalez <arturo.bg@arturo.bg>
This makes the API nicer:
resourceClaims:
- name: with-template
resourceClaimTemplateName: test-inline-claim-template
- name: with-claim
resourceClaimName: test-shared-claim
Previously, this was:
resourceClaims:
- name: with-template
source:
resourceClaimTemplateName: test-inline-claim-template
- name: with-claim
source:
resourceClaimName: test-shared-claim
A more long-term benefit is that other, future alternatives
might not make sense under the "source" umbrella.
This is a breaking change. It's justified because DRA is still
alpha and will have several other API breaks in 1.31.
1. `apiGroup`: If set, it must be a valid DNS subdomain (e.g. 'example.com').
2. `kind` and `name`: It must be valid path segment name. It may not be '.' or '..' and it may not contain '/' and '%' characters.
* Add `Linux{Sandbox,Container}SecurityContext.SupplementalGroupsPolicy` and `ContainerStatus.user` in cri-api
* Add `PodSecurityContext.SupplementalGroupsPolicy`, `ContainerStatus.User` and its featuregate
* Implement DropDisabledPodFields for PodSecurityContext.SupplementalGroupsPolicy and ContainerStatus.User fields
* Implement kubelet so to wire between SecurityContext.SupplementalGroupsPolicy/ContainerStatus.User and cri-api in kubelet
* Clarify `SupplementalGroupsPolicy` is an OS depdendent field.
* Make `ContainerStatus.User` is initially attached user identity to the first process in the ContainerStatus
It is because, the process identity can be dynamic if the initially attached identity
has enough privilege calling setuid/setgid/setgroups syscalls in Linux.
* Rewording suggestion applied
* Add TODO comment for updating SupplementalGroupsPolicy default value in v1.34
* Added validations for SupplementalGroupsPolicy and ContainerUser
* No need featuregate check in validation when adding new field with no default value
* fix typo: identitiy -> identity
This will allow components that don't need to watch headless services
(heavily used on ai/ml workloads) to filter them server side.
Specially useful for kubelet and kube-proxy
Change-Id: If36c2c27f2ec80db400c9133c61428d14e124f3e
