From 3f74ac39d1d9e6f6884ae9dab46f229c3ed0fd24 Mon Sep 17 00:00:00 2001 From: Eron Wright Date: Mon, 7 Oct 2024 13:26:28 -0700 Subject: [PATCH] Update API docs for securityProfile --- deploy/crds/auto.pulumi.com_workspaces.yaml | 8 +++++-- deploy/crds/pulumi.com_stacks.yaml | 16 +++++++++---- .../crds/auto.pulumi.com_workspaces.yaml | 8 +++++-- .../crds/pulumi.com_stacks.yaml | 16 +++++++++---- deploy/yaml/install.yaml | 24 ++++++++++++++----- operator/api/auto/v1alpha1/workspace_types.go | 6 ++++- .../crd/bases/auto.pulumi.com_workspaces.yaml | 8 +++++-- .../config/crd/bases/pulumi.com_stacks.yaml | 16 +++++++++---- 8 files changed, 77 insertions(+), 25 deletions(-) diff --git a/deploy/crds/auto.pulumi.com_workspaces.yaml b/deploy/crds/auto.pulumi.com_workspaces.yaml index 303a898c..df9453d2 100644 --- a/deploy/crds/auto.pulumi.com_workspaces.yaml +++ b/deploy/crds/auto.pulumi.com_workspaces.yaml @@ -8413,8 +8413,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to the workspace, - 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default diff --git a/deploy/crds/pulumi.com_stacks.yaml b/deploy/crds/pulumi.com_stacks.yaml index 3549fe59..841d8cfd 100644 --- a/deploy/crds/pulumi.com_stacks.yaml +++ b/deploy/crds/pulumi.com_stacks.yaml @@ -9334,8 +9334,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default @@ -18871,8 +18875,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default diff --git a/deploy/helm/pulumi-operator/crds/auto.pulumi.com_workspaces.yaml b/deploy/helm/pulumi-operator/crds/auto.pulumi.com_workspaces.yaml index 303a898c..df9453d2 100644 --- a/deploy/helm/pulumi-operator/crds/auto.pulumi.com_workspaces.yaml +++ b/deploy/helm/pulumi-operator/crds/auto.pulumi.com_workspaces.yaml @@ -8413,8 +8413,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to the workspace, - 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default diff --git a/deploy/helm/pulumi-operator/crds/pulumi.com_stacks.yaml b/deploy/helm/pulumi-operator/crds/pulumi.com_stacks.yaml index 3549fe59..841d8cfd 100644 --- a/deploy/helm/pulumi-operator/crds/pulumi.com_stacks.yaml +++ b/deploy/helm/pulumi-operator/crds/pulumi.com_stacks.yaml @@ -9334,8 +9334,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default @@ -18871,8 +18875,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default diff --git a/deploy/yaml/install.yaml b/deploy/yaml/install.yaml index 127b2bec..5a274c0d 100644 --- a/deploy/yaml/install.yaml +++ b/deploy/yaml/install.yaml @@ -9569,8 +9569,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default @@ -19106,8 +19110,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default @@ -27868,8 +27876,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to the workspace, - 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default diff --git a/operator/api/auto/v1alpha1/workspace_types.go b/operator/api/auto/v1alpha1/workspace_types.go index 33a3ee66..e50a5040 100644 --- a/operator/api/auto/v1alpha1/workspace_types.go +++ b/operator/api/auto/v1alpha1/workspace_types.go @@ -42,7 +42,11 @@ type WorkspaceSpec struct { // +kubebuilder:default="default" ServiceAccountName string `json:"serviceAccountName,omitempty"` - // SecurityProfile applies a security profile to the workspace, 'restricted' by default. + // SecurityProfile applies a security profile to the workspace. + // The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + // the Restricted policy of the Pod Security Standards. + // The baseline profile runs the pod as the root user and with a security context that conforms with + // the Baseline policy of the Pod Security Standards. // +kubebuilder:default="restricted" // +optional SecurityProfile SecurityProfile `json:"securityProfile,omitempty"` diff --git a/operator/config/crd/bases/auto.pulumi.com_workspaces.yaml b/operator/config/crd/bases/auto.pulumi.com_workspaces.yaml index 303a898c..df9453d2 100644 --- a/operator/config/crd/bases/auto.pulumi.com_workspaces.yaml +++ b/operator/config/crd/bases/auto.pulumi.com_workspaces.yaml @@ -8413,8 +8413,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to the workspace, - 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default diff --git a/operator/config/crd/bases/pulumi.com_stacks.yaml b/operator/config/crd/bases/pulumi.com_stacks.yaml index 3549fe59..841d8cfd 100644 --- a/operator/config/crd/bases/pulumi.com_stacks.yaml +++ b/operator/config/crd/bases/pulumi.com_stacks.yaml @@ -9334,8 +9334,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default @@ -18871,8 +18875,12 @@ spec: type: object securityProfile: default: restricted - description: SecurityProfile applies a security profile to - the workspace, 'restricted' by default. + description: |- + SecurityProfile applies a security profile to the workspace. + The restricted profile (default) runs the pod as a non-root user and with a security context that conforms with + the Restricted policy of the Pod Security Standards. + The baseline profile runs the pod as the root user and with a security context that conforms with + the Baseline policy of the Pod Security Standards. type: string serviceAccountName: default: default