openshift
diff --git a/‎api/docs/api/v1.SecurityContextConstraints.adoc
+3-1 b/‎api/docs/api/v1.SecurityContextConstraints.adoc
+3-1
diff --git a/‎api/docs/apis-build.openshift.io/v1.BuildConfig.adoc
+1 b/‎api/docs/apis-build.openshift.io/v1.BuildConfig.adoc
+1
diff --git a/‎api/docs/apis-security.openshift.io/v1.SecurityContextConstraints.adoc
+3-1 b/‎api/docs/apis-security.openshift.io/v1.SecurityContextConstraints.adoc
+3-1
diff --git a/‎api/docs/oapi/v1.BuildConfig.adoc
+1 b/‎api/docs/oapi/v1.BuildConfig.adoc
+1
diff --git a/‎api/protobuf-spec/github_com_openshift_api_build_v1.proto
+3 b/‎api/protobuf-spec/github_com_openshift_api_build_v1.proto
+3
diff --git a/‎api/protobuf-spec/github_com_openshift_api_security_v1.proto
+10 b/‎api/protobuf-spec/github_com_openshift_api_security_v1.proto
+10
diff --git a/‎api/swagger-spec/api-v1.json
+8 b/‎api/swagger-spec/api-v1.json
+8
diff --git a/‎api/swagger-spec/oapi-v1.json
+4 b/‎api/swagger-spec/oapi-v1.json
+4
diff --git a/‎api/swagger-spec/openshift-openapi-spec.json
+12 b/‎api/swagger-spec/openshift-openapi-spec.json
+12
diff --git a/‎glide.lock
+15-12 b/‎glide.lock
+15-12
diff --git a/‎glide.yaml
+1-1 b/‎glide.yaml
+1-1
diff --git a/‎pkg/api/serialization_test.go
+3 b/‎pkg/api/serialization_test.go
+3
@@ -23,6 +23,7 @@ Expand or mouse-over a field for more information about it.
 </div><div style="margin-left:13px;"><span title="(boolean) AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.">allowHostNetwork</span>:
 </div><div style="margin-left:13px;"><span title="(boolean) AllowHostPID determines if the policy allows host pid in the containers.">allowHostPID</span>:
 </div><div style="margin-left:13px;"><span title="(boolean) AllowHostPorts determines if the policy allows host ports in the containers.">allowHostPorts</span>:
+</div><div style="margin-left:13px;"><span title="(boolean) AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.">allowPrivilegeEscalation</span>:
 </div><div style="margin-left:13px;"><span title="(boolean) AllowPrivilegedContainer determines if a container can request to be run as privileged.">allowPrivilegedContainer</span>:
 </div><details><summary><span title="(array) AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author&#39;s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use &#39;*&#39;.">allowedCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:
@@ -31,7 +32,8 @@ Expand or mouse-over a field for more information about it.
 </div></details><div style="margin-left:13px;"><span title="(string) APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources">apiVersion</span>:
 </div><details><summary><span title="(array) DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.">defaultAddCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:
-</div></details><details><summary><span title="(v1.FSGroupStrategyOptions) FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.">fsGroup</span>:
+</div></details><div style="margin-left:13px;"><span title="(boolean) DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.">defaultAllowPrivilegeEscalation</span>:
+</div><details><summary><span title="(v1.FSGroupStrategyOptions) FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.">fsGroup</span>:
 </summary><details><summary>  <span title="(array) Ranges are the allowed ranges of fs groups.  If you would like to force a single fs group then supply a single range with the same start and end.">ranges</span>:
 </summary><div style="margin-left:13px;">  - <span title="(integer) Max is the end of the range, inclusive.">max</span>:
 </div><div style="margin-left:13px;">    <span title="(integer) Min is the start of the range, inclusive.">min</span>:
 
@@ -351,6 +351,7 @@ Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-gu
 </div><div style="margin-left:13px;">        <span title="(string) Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency">resourceVersion</span>:
 </div><div style="margin-left:13px;">        <span title="(string) UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids">uid</span>:
 </div></details><div style="margin-left:13px;">      <span title="(string) lastTriggeredImageID is used internally by the ImageChangeController to save last used image ID for build">lastTriggeredImageID</span>:
+</div><div style="margin-left:13px;">      <span title="(boolean) paused is true if this trigger is temporarily disabled. Optional.">paused</span>:
 </div></details><div style="margin-left:13px;">    <span title="(string) type is the type of build trigger">type</span>:
 </div></details></details><details><summary><span title="(v1.BuildConfigStatus) status holds any relevant information about a build config">status</span>:
 </summary><div style="margin-left:13px;">  <span title="(integer) lastVersion is used to inform about number of last triggered build.">lastVersion</span>:
 
@@ -23,6 +23,7 @@ Expand or mouse-over a field for more information about it.
 </div><div style="margin-left:13px;"><span title="(boolean) AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.">allowHostNetwork</span>:
 </div><div style="margin-left:13px;"><span title="(boolean) AllowHostPID determines if the policy allows host pid in the containers.">allowHostPID</span>:
 </div><div style="margin-left:13px;"><span title="(boolean) AllowHostPorts determines if the policy allows host ports in the containers.">allowHostPorts</span>:
+</div><div style="margin-left:13px;"><span title="(boolean) AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.">allowPrivilegeEscalation</span>:
 </div><div style="margin-left:13px;"><span title="(boolean) AllowPrivilegedContainer determines if a container can request to be run as privileged.">allowPrivilegedContainer</span>:
 </div><details><summary><span title="(array) AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author&#39;s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use &#39;*&#39;.">allowedCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:
@@ -31,7 +32,8 @@ Expand or mouse-over a field for more information about it.
 </div></details><div style="margin-left:13px;"><span title="(string) APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources">apiVersion</span>:
 </div><details><summary><span title="(array) DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.">defaultAddCapabilities</span>:
 </summary><div style="margin-left:13px;">- <span title="(string)">[string]</span>:
-</div></details><details><summary><span title="(v1.FSGroupStrategyOptions) FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.">fsGroup</span>:
+</div></details><div style="margin-left:13px;"><span title="(boolean) DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.">defaultAllowPrivilegeEscalation</span>:
+</div><details><summary><span title="(v1.FSGroupStrategyOptions) FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.">fsGroup</span>:
 </summary><details><summary>  <span title="(array) Ranges are the allowed ranges of fs groups.  If you would like to force a single fs group then supply a single range with the same start and end.">ranges</span>:
 </summary><div style="margin-left:13px;">  - <span title="(integer) Max is the end of the range, inclusive.">max</span>:
 </div><div style="margin-left:13px;">    <span title="(integer) Min is the start of the range, inclusive.">min</span>:
 
@@ -351,6 +351,7 @@ Populated by the system. Read-only. More info: http://kubernetes.io/docs/user-gu
 </div><div style="margin-left:13px;">        <span title="(string) Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency">resourceVersion</span>:
 </div><div style="margin-left:13px;">        <span title="(string) UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids">uid</span>:
 </div></details><div style="margin-left:13px;">      <span title="(string) lastTriggeredImageID is used internally by the ImageChangeController to save last used image ID for build">lastTriggeredImageID</span>:
+</div><div style="margin-left:13px;">      <span title="(boolean) paused is true if this trigger is temporarily disabled. Optional.">paused</span>:
 </div></details><div style="margin-left:13px;">    <span title="(string) type is the type of build trigger">type</span>:
 </div></details></details><details><summary><span title="(v1.BuildConfigStatus) status holds any relevant information about a build config">status</span>:
 </summary><div style="margin-left:13px;">  <span title="(integer) lastVersion is used to inform about number of last triggered build.">lastVersion</span>:
 
@@ -38,7 +38,7 @@ import:
 
 # openshift second
 - package: github.com/openshift/api
-  version: 0ce1df2db7debb15eddb25f3ae76df4180777221
+  version: master
 - package: github.com/openshift/client-go
   version: master
 - package: github.com/openshift/imagebuilder
 
@@ -479,6 +479,9 @@ func originFuzzer(t *testing.T, seed int64) *fuzz.Fuzzer {
 			scc.SupplementalGroups.Type = supGroupTypes[c.Rand.Intn(len(supGroupTypes))]
 			fsGroupTypes := []securityapi.FSGroupStrategyType{securityapi.FSGroupStrategyMustRunAs, securityapi.FSGroupStrategyRunAsAny}
 			scc.FSGroup.Type = fsGroupTypes[c.Rand.Intn(len(fsGroupTypes))]
+			// avoid the defaulting logic for this field by making it never nil
+			allowPrivilegeEscalation := c.RandBool()
+			scc.AllowPrivilegeEscalation = &allowPrivilegeEscalation
 
 			// when fuzzing the volume types ensure it is set to avoid the defaulter's expansion.
 			// Do not use FSTypeAll or host dir setting to steer clear of defaulting mechanics