@@ -1643,13 +1643,13 @@ spec:
16431643 type : string
16441644 ports :
16451645 description : List of ports to expose from the container.
1646- Exposing a port here gives the system additional information
1647- about the network connections a container uses, but
1648- is primarily informational. Not specifying a port
1649- here DOES NOT prevent that port from being exposed.
1650- Any port which is listening on the default "0.0.0.0"
1651- address inside a container will be accessible from
1652- the network. Cannot be updated.
1646+ Not specifying a port here DOES NOT prevent that port
1647+ from being exposed. Any port which is listening on
1648+ the default "0.0.0.0" address inside a container will
1649+ be accessible from the network. Modifying this array
1650+ with strategic merge patch may corrupt the data. For
1651+ more information See https://github.com/kubernetes/kubernetes/issues/108255.
1652+ Cannot be updated.
16531653 items :
16541654 description : ContainerPort represents a network port
16551655 in a single container.
@@ -2407,8 +2407,6 @@ spec:
24072407 be specified when creating a pod, and it cannot be modified
24082408 by updating the pod spec. In order to add an ephemeral container
24092409 to an existing pod, use the pod's ephemeralcontainers subresource.
2410- This field is beta-level and available on clusters that
2411- haven't disabled the EphemeralContainers feature gate.
24122410 items :
24132411 description : " An EphemeralContainer is a temporary container
24142412 that you may add to an existing Pod for user-initiated
@@ -2419,9 +2417,7 @@ spec:
24192417 container causes the Pod to exceed its resource allocation.
24202418 \n To add an ephemeral container, use the ephemeralcontainers
24212419 subresource of an existing Pod. Ephemeral containers may
2422- not be removed or restarted. \n This is a beta feature
2423- available on clusters that haven't disabled the EphemeralContainers
2424- feature gate."
2420+ not be removed or restarted."
24252421 properties :
24262422 args :
24272423 description : ' Arguments to the entrypoint. The image'' s
@@ -3735,6 +3731,19 @@ spec:
37353731 description : ' Use the host'' s pid namespace. Optional: Default
37363732 to false.'
37373733 type : boolean
3734+ hostUsers :
3735+ description : ' Use the host'' s user namespace. Optional: Default
3736+ to true. If set to true or not present, the pod will be
3737+ run in the host user namespace, useful for when the pod
3738+ needs a feature only available to the host user namespace,
3739+ such as loading a kernel module with CAP_SYS_MODULE. When
3740+ set to false, a new userns is created for the pod. Setting
3741+ false is useful for mitigating container breakout vulnerabilities
3742+ even allowing users to run their containers as root without
3743+ actually having root privileges on the host. This field
3744+ is alpha-level and is only honored by servers that enable
3745+ the UserNamespacesSupport feature.'
3746+ type : boolean
37383747 hostname :
37393748 description : Specifies the hostname of the Pod If not specified,
37403749 the pod's hostname will be set to a system-defined value.
@@ -4361,13 +4370,13 @@ spec:
43614370 type : string
43624371 ports :
43634372 description : List of ports to expose from the container.
4364- Exposing a port here gives the system additional information
4365- about the network connections a container uses, but
4366- is primarily informational. Not specifying a port
4367- here DOES NOT prevent that port from being exposed.
4368- Any port which is listening on the default "0.0.0.0"
4369- address inside a container will be accessible from
4370- the network. Cannot be updated.
4373+ Not specifying a port here DOES NOT prevent that port
4374+ from being exposed. Any port which is listening on
4375+ the default "0.0.0.0" address inside a container will
4376+ be accessible from the network. Modifying this array
4377+ with strategic merge patch may corrupt the data. For
4378+ more information See https://github.com/kubernetes/kubernetes/issues/108255.
4379+ Cannot be updated.
43714380 items :
43724381 description : ContainerPort represents a network port
43734382 in a single container.
@@ -5087,7 +5096,7 @@ spec:
50875096 set. \n If the OS field is set to linux, the following fields
50885097 must be unset: -securityContext.windowsOptions \n If the
50895098 OS field is set to windows, following fields must be unset:
5090- - spec.hostPID - spec.hostIPC - spec.securityContext.seLinuxOptions
5099+ - spec.hostPID - spec.hostIPC - spec.hostUsers - spec. securityContext.seLinuxOptions
50915100 - spec.securityContext.seccompProfile - spec.securityContext.fsGroup
50925101 - spec.securityContext.fsGroupChangePolicy - spec.securityContext.sysctls
50935102 - spec.shareProcessNamespace - spec.securityContext.runAsUser
@@ -5096,8 +5105,7 @@ spec:
50965105 - spec.containers[*].securityContext.capabilities - spec.containers[*].securityContext.readOnlyRootFilesystem
50975106 - spec.containers[*].securityContext.privileged - spec.containers[*].securityContext.allowPrivilegeEscalation
50985107 - spec.containers[*].securityContext.procMount - spec.containers[*].securityContext.runAsUser
5099- - spec.containers[*].securityContext.runAsGroup This is
5100- a beta field and requires the IdentifyPodOS feature"
5108+ - spec.containers[*].securityContext.runAsGroup"
51015109 properties :
51025110 name :
51035111 description : ' Name is the name of the operating system.
@@ -5515,6 +5523,20 @@ spec:
55155523 type : object
55165524 type : object
55175525 x-kubernetes-map-type : atomic
5526+ matchLabelKeys :
5527+ description : MatchLabelKeys is a set of pod label keys
5528+ to select the pods over which spreading will be calculated.
5529+ The keys are used to lookup values from the incoming
5530+ pod labels, those key-value labels are ANDed with
5531+ labelSelector to select the group of existing pods
5532+ over which spreading will be calculated for the incoming
5533+ pod. Keys that don't exist in the incoming pod labels
5534+ will be ignored. A null or empty list means only match
5535+ against labelSelector.
5536+ items :
5537+ type : string
5538+ type : array
5539+ x-kubernetes-list-type : atomic
55185540 maxSkew :
55195541 description : ' MaxSkew describes the degree to which
55205542 pods may be unevenly distributed. When `whenUnsatisfiable=DoNotSchedule`,
@@ -5560,10 +5582,34 @@ spec:
55605582 new pod with the same labelSelector cannot be scheduled,
55615583 because computed skew will be 3(3 - 0) if new Pod
55625584 is scheduled to any of the three zones, it will violate
5563- MaxSkew. \n This is an alpha field and requires enabling
5564- MinDomainsInPodTopologySpread feature gate."
5585+ MaxSkew. \n This is a beta field and requires the
5586+ MinDomainsInPodTopologySpread feature gate to be enabled
5587+ (enabled by default)."
55655588 format : int32
55665589 type : integer
5590+ nodeAffinityPolicy :
5591+ description : " NodeAffinityPolicy indicates how we will
5592+ treat Pod's nodeAffinity/nodeSelector when calculating
5593+ pod topology spread skew. Options are: - Honor: only
5594+ nodes matching nodeAffinity/nodeSelector are included
5595+ in the calculations. - Ignore: nodeAffinity/nodeSelector
5596+ are ignored. All nodes are included in the calculations.
5597+ \n If this value is nil, the behavior is equivalent
5598+ to the Honor policy. This is a alpha-level feature
5599+ enabled by the NodeInclusionPolicyInPodTopologySpread
5600+ feature flag."
5601+ type : string
5602+ nodeTaintsPolicy :
5603+ description : " NodeTaintsPolicy indicates how we will
5604+ treat node taints when calculating pod topology spread
5605+ skew. Options are: - Honor: nodes without taints,
5606+ along with tainted nodes for which the incoming pod
5607+ has a toleration, are included. - Ignore: node taints
5608+ are ignored. All nodes are included. \n If this value
5609+ is nil, the behavior is equivalent to the Ignore policy.
5610+ This is a alpha-level feature enabled by the NodeInclusionPolicyInPodTopologySpread
5611+ feature flag."
5612+ type : string
55675613 topologyKey :
55685614 description : TopologyKey is the key of node labels.
55695615 Nodes that have a label with this key and identical
@@ -5572,11 +5618,11 @@ spec:
55725618 to put balanced number of pods into each bucket. We
55735619 define a domain as a particular instance of a topology.
55745620 Also, we define an eligible domain as a domain whose
5575- nodes match the node selector. e.g. If TopologyKey
5576- is "kubernetes.io/hostname", each Node is a domain
5577- of that topology. And, if TopologyKey is "topology.kubernetes.io/zone",
5578- each zone is a domain of that topology. It's a required
5579- field.
5621+ nodes meet the requirements of nodeAffinityPolicy
5622+ and nodeTaintsPolicy. e.g. If TopologyKey is "kubernetes.io/hostname",
5623+ each Node is a domain of that topology. And, if TopologyKey
5624+ is "topology.kubernetes.io/zone", each zone is a domain
5625+ of that topology. It's a required field.
55805626 type : string
55815627 whenUnsatisfiable :
55825628 description : ' WhenUnsatisfiable indicates how to deal
0 commit comments