Update godeps

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/conversion.go

@@ -22,6 +22,7 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	v1 "k8s.io/kubernetes/pkg/api/v1"
+	"k8s.io/kubernetes/pkg/apis/autoscaling"
 	"k8s.io/kubernetes/pkg/apis/batch"
 	"k8s.io/kubernetes/pkg/apis/extensions"
 	"k8s.io/kubernetes/pkg/conversion"
@@ -42,6 +43,11 @@ func addConversionFuncs(scheme *runtime.Scheme) {
 		Convert_v1beta1_RollingUpdateDeployment_To_extensions_RollingUpdateDeployment,
 		Convert_extensions_ReplicaSetSpec_To_v1beta1_ReplicaSetSpec,
 		Convert_v1beta1_ReplicaSetSpec_To_extensions_ReplicaSetSpec,
+		// autoscaling
+		Convert_autoscaling_CrossVersionObjectReference_To_v1beta1_SubresourceReference,
+		Convert_v1beta1_SubresourceReference_To_autoscaling_CrossVersionObjectReference,
+		Convert_autoscaling_HorizontalPodAutoscalerSpec_To_v1beta1_HorizontalPodAutoscalerSpec,
+		Convert_v1beta1_HorizontalPodAutoscalerSpec_To_autoscaling_HorizontalPodAutoscalerSpec,
 		// batch
 		Convert_batch_JobSpec_To_v1beta1_JobSpec,
 		Convert_v1beta1_JobSpec_To_batch_JobSpec,
@@ -346,3 +352,53 @@ func Convert_v1beta1_JobSpec_To_batch_JobSpec(in *JobSpec, out *batch.JobSpec, s
 	}
 	return nil
 }
+
+func Convert_autoscaling_CrossVersionObjectReference_To_v1beta1_SubresourceReference(in *autoscaling.CrossVersionObjectReference, out *SubresourceReference, s conversion.Scope) error {
+	out.Kind = in.Kind
+	out.Name = in.Name
+	out.APIVersion = in.APIVersion
+	out.Subresource = "scale"
+	return nil
+}
+
+func Convert_v1beta1_SubresourceReference_To_autoscaling_CrossVersionObjectReference(in *SubresourceReference, out *autoscaling.CrossVersionObjectReference, s conversion.Scope) error {
+	out.Kind = in.Kind
+	out.Name = in.Name
+	out.APIVersion = in.APIVersion
+	return nil
+}
+
+func Convert_autoscaling_HorizontalPodAutoscalerSpec_To_v1beta1_HorizontalPodAutoscalerSpec(in *autoscaling.HorizontalPodAutoscalerSpec, out *HorizontalPodAutoscalerSpec, s conversion.Scope) error {
+	if err := Convert_autoscaling_CrossVersionObjectReference_To_v1beta1_SubresourceReference(&in.ScaleTargetRef, &out.ScaleRef, s); err != nil {
+		return err
+	}
+	if in.MinReplicas != nil {
+		out.MinReplicas = new(int32)
+		*out.MinReplicas = *in.MinReplicas
+	} else {
+		out.MinReplicas = nil
+	}
+	out.MaxReplicas = in.MaxReplicas
+	if in.TargetCPUUtilizationPercentage != nil {
+		out.CPUUtilization = &CPUTargetUtilization{TargetPercentage: *in.TargetCPUUtilizationPercentage}
+	}
+	return nil
+}
+
+func Convert_v1beta1_HorizontalPodAutoscalerSpec_To_autoscaling_HorizontalPodAutoscalerSpec(in *HorizontalPodAutoscalerSpec, out *autoscaling.HorizontalPodAutoscalerSpec, s conversion.Scope) error {
+	if err := Convert_v1beta1_SubresourceReference_To_autoscaling_CrossVersionObjectReference(&in.ScaleRef, &out.ScaleTargetRef, s); err != nil {
+		return err
+	}
+	if in.MinReplicas != nil {
+		out.MinReplicas = new(int32)
+		*out.MinReplicas = int32(*in.MinReplicas)
+	} else {
+		out.MinReplicas = nil
+	}
+	out.MaxReplicas = int32(in.MaxReplicas)
+	if in.CPUUtilization != nil {
+		out.TargetCPUUtilizationPercentage = new(int32)
+		*out.TargetCPUUtilizationPercentage = int32(in.CPUUtilization.TargetPercentage)
+	}
+	return nil
+}

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/deep_copy_generated.go

@@ -48,6 +48,7 @@ func init() {
 		DeepCopy_v1beta1_DeploymentStatus,
 		DeepCopy_v1beta1_DeploymentStrategy,
 		DeepCopy_v1beta1_ExportOptions,
+		DeepCopy_v1beta1_FSGroupStrategyOptions,
 		DeepCopy_v1beta1_HTTPIngressPath,
 		DeepCopy_v1beta1_HTTPIngressRuleValue,
 		DeepCopy_v1beta1_HorizontalPodAutoscaler,
@@ -72,6 +73,12 @@ func init() {
 		DeepCopy_v1beta1_LabelSelector,
 		DeepCopy_v1beta1_LabelSelectorRequirement,
 		DeepCopy_v1beta1_ListOptions,
+		DeepCopy_v1beta1_NetworkPolicy,
+		DeepCopy_v1beta1_NetworkPolicyIngressRule,
+		DeepCopy_v1beta1_NetworkPolicyList,
+		DeepCopy_v1beta1_NetworkPolicyPeer,
+		DeepCopy_v1beta1_NetworkPolicyPort,
+		DeepCopy_v1beta1_NetworkPolicySpec,
 		DeepCopy_v1beta1_PodSecurityPolicy,
 		DeepCopy_v1beta1_PodSecurityPolicyList,
 		DeepCopy_v1beta1_PodSecurityPolicySpec,
@@ -88,6 +95,7 @@ func init() {
 		DeepCopy_v1beta1_ScaleSpec,
 		DeepCopy_v1beta1_ScaleStatus,
 		DeepCopy_v1beta1_SubresourceReference,
+		DeepCopy_v1beta1_SupplementalGroupsStrategyOptions,
 		DeepCopy_v1beta1_ThirdPartyResource,
 		DeepCopy_v1beta1_ThirdPartyResourceData,
 		DeepCopy_v1beta1_ThirdPartyResourceDataList,
@@ -347,6 +355,22 @@ func DeepCopy_v1beta1_ExportOptions(in ExportOptions, out *ExportOptions, c *con
 	return nil
 }
 
+func DeepCopy_v1beta1_FSGroupStrategyOptions(in FSGroupStrategyOptions, out *FSGroupStrategyOptions, c *conversion.Cloner) error {
+	out.Rule = in.Rule
+	if in.Ranges != nil {
+		in, out := in.Ranges, &out.Ranges
+		*out = make([]IDRange, len(in))
+		for i := range in {
+			if err := DeepCopy_v1beta1_IDRange(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Ranges = nil
+	}
+	return nil
+}
+
 func DeepCopy_v1beta1_HTTPIngressPath(in HTTPIngressPath, out *HTTPIngressPath, c *conversion.Cloner) error {
 	out.Path = in.Path
 	if err := DeepCopy_v1beta1_IngressBackend(in.Backend, &out.Backend, c); err != nil {
@@ -778,6 +802,126 @@ func DeepCopy_v1beta1_ListOptions(in ListOptions, out *ListOptions, c *conversio
 	return nil
 }
 
+func DeepCopy_v1beta1_NetworkPolicy(in NetworkPolicy, out *NetworkPolicy, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := v1.DeepCopy_v1_ObjectMeta(in.ObjectMeta, &out.ObjectMeta, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_v1beta1_NetworkPolicySpec(in.Spec, &out.Spec, c); err != nil {
+		return err
+	}
+	return nil
+}
+
+func DeepCopy_v1beta1_NetworkPolicyIngressRule(in NetworkPolicyIngressRule, out *NetworkPolicyIngressRule, c *conversion.Cloner) error {
+	if in.Ports != nil {
+		in, out := in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(in))
+		for i := range in {
+			if err := DeepCopy_v1beta1_NetworkPolicyPort(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Ports = nil
+	}
+	if in.From != nil {
+		in, out := in.From, &out.From
+		*out = make([]NetworkPolicyPeer, len(in))
+		for i := range in {
+			if err := DeepCopy_v1beta1_NetworkPolicyPeer(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.From = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1beta1_NetworkPolicyList(in NetworkPolicyList, out *NetworkPolicyList, c *conversion.Cloner) error {
+	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
+		return err
+	}
+	if err := unversioned.DeepCopy_unversioned_ListMeta(in.ListMeta, &out.ListMeta, c); err != nil {
+		return err
+	}
+	if in.Items != nil {
+		in, out := in.Items, &out.Items
+		*out = make([]NetworkPolicy, len(in))
+		for i := range in {
+			if err := DeepCopy_v1beta1_NetworkPolicy(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Items = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1beta1_NetworkPolicyPeer(in NetworkPolicyPeer, out *NetworkPolicyPeer, c *conversion.Cloner) error {
+	if in.PodSelector != nil {
+		in, out := in.PodSelector, &out.PodSelector
+		*out = new(LabelSelector)
+		if err := DeepCopy_v1beta1_LabelSelector(*in, *out, c); err != nil {
+			return err
+		}
+	} else {
+		out.PodSelector = nil
+	}
+	if in.NamespaceSelector != nil {
+		in, out := in.NamespaceSelector, &out.NamespaceSelector
+		*out = new(LabelSelector)
+		if err := DeepCopy_v1beta1_LabelSelector(*in, *out, c); err != nil {
+			return err
+		}
+	} else {
+		out.NamespaceSelector = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1beta1_NetworkPolicyPort(in NetworkPolicyPort, out *NetworkPolicyPort, c *conversion.Cloner) error {
+	if in.Protocol != nil {
+		in, out := in.Protocol, &out.Protocol
+		*out = new(v1.Protocol)
+		**out = *in
+	} else {
+		out.Protocol = nil
+	}
+	if in.Port != nil {
+		in, out := in.Port, &out.Port
+		*out = new(intstr.IntOrString)
+		if err := intstr.DeepCopy_intstr_IntOrString(*in, *out, c); err != nil {
+			return err
+		}
+	} else {
+		out.Port = nil
+	}
+	return nil
+}
+
+func DeepCopy_v1beta1_NetworkPolicySpec(in NetworkPolicySpec, out *NetworkPolicySpec, c *conversion.Cloner) error {
+	if err := DeepCopy_v1beta1_LabelSelector(in.PodSelector, &out.PodSelector, c); err != nil {
+		return err
+	}
+	if in.Ingress != nil {
+		in, out := in.Ingress, &out.Ingress
+		*out = make([]NetworkPolicyIngressRule, len(in))
+		for i := range in {
+			if err := DeepCopy_v1beta1_NetworkPolicyIngressRule(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Ingress = nil
+	}
+	return nil
+}
+
 func DeepCopy_v1beta1_PodSecurityPolicy(in PodSecurityPolicy, out *PodSecurityPolicy, c *conversion.Cloner) error {
 	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
 		return err
@@ -814,14 +958,32 @@ func DeepCopy_v1beta1_PodSecurityPolicyList(in PodSecurityPolicyList, out *PodSe
 
 func DeepCopy_v1beta1_PodSecurityPolicySpec(in PodSecurityPolicySpec, out *PodSecurityPolicySpec, c *conversion.Cloner) error {
 	out.Privileged = in.Privileged
-	if in.Capabilities != nil {
-		in, out := in.Capabilities, &out.Capabilities
+	if in.DefaultAddCapabilities != nil {
+		in, out := in.DefaultAddCapabilities, &out.DefaultAddCapabilities
 		*out = make([]v1.Capability, len(in))
 		for i := range in {
 			(*out)[i] = in[i]
 		}
 	} else {
-		out.Capabilities = nil
+		out.DefaultAddCapabilities = nil
+	}
+	if in.RequiredDropCapabilities != nil {
+		in, out := in.RequiredDropCapabilities, &out.RequiredDropCapabilities
+		*out = make([]v1.Capability, len(in))
+		for i := range in {
+			(*out)[i] = in[i]
+		}
+	} else {
+		out.RequiredDropCapabilities = nil
+	}
+	if in.AllowedCapabilities != nil {
+		in, out := in.AllowedCapabilities, &out.AllowedCapabilities
+		*out = make([]v1.Capability, len(in))
+		for i := range in {
+			(*out)[i] = in[i]
+		}
+	} else {
+		out.AllowedCapabilities = nil
 	}
 	if in.Volumes != nil {
 		in, out := in.Volumes, &out.Volumes
@@ -852,6 +1014,13 @@ func DeepCopy_v1beta1_PodSecurityPolicySpec(in PodSecurityPolicySpec, out *PodSe
 	if err := DeepCopy_v1beta1_RunAsUserStrategyOptions(in.RunAsUser, &out.RunAsUser, c); err != nil {
 		return err
 	}
+	if err := DeepCopy_v1beta1_SupplementalGroupsStrategyOptions(in.SupplementalGroups, &out.SupplementalGroups, c); err != nil {
+		return err
+	}
+	if err := DeepCopy_v1beta1_FSGroupStrategyOptions(in.FSGroup, &out.FSGroup, c); err != nil {
+		return err
+	}
+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem
 	return nil
 }
 
@@ -1030,6 +1199,22 @@ func DeepCopy_v1beta1_SubresourceReference(in SubresourceReference, out *Subreso
 	return nil
 }
 
+func DeepCopy_v1beta1_SupplementalGroupsStrategyOptions(in SupplementalGroupsStrategyOptions, out *SupplementalGroupsStrategyOptions, c *conversion.Cloner) error {
+	out.Rule = in.Rule
+	if in.Ranges != nil {
+		in, out := in.Ranges, &out.Ranges
+		*out = make([]IDRange, len(in))
+		for i := range in {
+			if err := DeepCopy_v1beta1_IDRange(in[i], &(*out)[i], c); err != nil {
+				return err
+			}
+		}
+	} else {
+		out.Ranges = nil
+	}
+	return nil
+}
+
 func DeepCopy_v1beta1_ThirdPartyResource(in ThirdPartyResource, out *ThirdPartyResource, c *conversion.Cloner) error {
 	if err := unversioned.DeepCopy_unversioned_TypeMeta(in.TypeMeta, &out.TypeMeta, c); err != nil {
 		return err

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/defaults.go

@@ -17,6 +17,7 @@ limitations under the License.
 package v1beta1
 
 import (
+	"k8s.io/kubernetes/pkg/api/v1"
 	"k8s.io/kubernetes/pkg/runtime"
 	"k8s.io/kubernetes/pkg/util/intstr"
 )
@@ -28,6 +29,7 @@ func addDefaultingFuncs(scheme *runtime.Scheme) {
 		SetDefaults_Job,
 		SetDefaults_HorizontalPodAutoscaler,
 		SetDefaults_ReplicaSet,
+		SetDefaults_NetworkPolicy,
 	)
 }
 
@@ -150,3 +152,16 @@ func SetDefaults_ReplicaSet(obj *ReplicaSet) {
 		*obj.Spec.Replicas = 1
 	}
 }
+
+func SetDefaults_NetworkPolicy(obj *NetworkPolicy) {
+	// Default any undefined Protocol fields to TCP.
+	for _, i := range obj.Spec.Ingress {
+		// TODO: Update Ports to be a pointer to slice as soon as auto-generation supports it.
+		for _, p := range i.Ports {
+			if p.Protocol == nil {
+				proto := v1.ProtocolTCP
+				p.Protocol = &proto
+			}
+		}
+	}
+}

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/generated.proto

@@ -235,6 +235,16 @@ message ExportOptions {
   optional bool exact = 2;
 }
 
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
+message FSGroupStrategyOptions {
+  // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+  optional string rule = 1;
+
+  // Ranges are the allowed ranges of fs groups.  If you would like to force a single
+  // fs group then supply a single range with the same start and end.
+  repeated IDRange ranges = 2;
+}
+
 // HTTPIngressPath associates a path regex with a backend. Incoming urls matching
 // the path are forwarded to the backend.
 message HTTPIngressPath {
@@ -615,6 +625,93 @@ message ListOptions {
   optional int64 timeoutSeconds = 5;
 }
 
+message NetworkPolicy {
+  // Standard object's metadata.
+  // More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+  optional k8s.io.kubernetes.pkg.api.v1.ObjectMeta metadata = 1;
+
+  // Specification of the desired behavior for this NetworkPolicy.
+  optional NetworkPolicySpec spec = 2;
+}
+
+// This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
+message NetworkPolicyIngressRule {
+  // List of ports which should be made accessible on the pods selected for this rule.
+  // Each item in this list is combined using a logical OR.
+  // If this field is not provided, this rule matches all ports (traffic not restricted by port).
+  // If this field is empty, this rule matches no ports (no traffic matches).
+  // If this field is present and contains at least one item, then this rule allows traffic
+  // only if the traffic matches at least one port in the list.
+  // TODO: Update this to be a pointer to slice as soon as auto-generation supports it.
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of sources which should be able to access the pods selected for this rule.
+  // Items in this list are combined using a logical OR operation.
+  // If this field is not provided, this rule matches all sources (traffic not restricted by source).
+  // If this field is empty, this rule matches no sources (no traffic matches).
+  // If this field is present and contains at least on item, this rule allows traffic only if the
+  // traffic matches at least one item in the from list.
+  // TODO: Update this to be a pointer to slice as soon as auto-generation supports it.
+  repeated NetworkPolicyPeer from = 2;
+}
+
+// Network Policy List is a list of NetworkPolicy objects.
+message NetworkPolicyList {
+  // Standard list metadata.
+  // More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+  optional k8s.io.kubernetes.pkg.api.unversioned.ListMeta metadata = 1;
+
+  // Items is a list of schema objects.
+  repeated NetworkPolicy items = 2;
+}
+
+message NetworkPolicyPeer {
+  // This is a label selector which selects Pods in this namespace.
+  // This field follows standard label selector semantics.
+  // If not provided, this selector selects no pods.
+  // If present but empty, this selector selects all pods in this namespace.
+  optional LabelSelector podSelector = 1;
+
+  // Selects Namespaces using cluster scoped-labels.  This
+  // matches all pods in all namespaces selected by this label selector.
+  // This field follows standard label selector semantics.
+  // If omitted, this selector selects no namespaces.
+  // If present but empty, this selector selects all namespaces.
+  optional LabelSelector namespaceSelector = 2;
+}
+
+message NetworkPolicyPort {
+  // Optional.  The protocol (TCP or UDP) which traffic must match.
+  // If not specified, this field defaults to TCP.
+  optional string protocol = 1;
+
+  // If specified, the port on the given protocol.  This can
+  // either be a numerical or named port on a pod.  If this field is not provided,
+  // this matches all port names and numbers.
+  // If present, only traffic on the specified protocol AND port
+  // will be matched.
+  optional k8s.io.kubernetes.pkg.util.intstr.IntOrString port = 2;
+}
+
+message NetworkPolicySpec {
+  // Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
+  // is applied to any pods selected by this field. Multiple network policies can select the
+  // same set of pods.  In this case, the ingress rules for each are combined additively.
+  // This field is NOT optional and follows standard label selector semantics.
+  // An empty podSelector matches all pods in this namespace.
+  optional LabelSelector podSelector = 1;
+
+  // List of ingress rules to be applied to the selected pods.
+  // Traffic is allowed to a pod if namespace.networkPolicy.ingress.isolation is undefined and cluster policy allows it,
+  // OR if the traffic source is the pod's local node,
+  // OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
+  // objects whose podSelector matches the pod.
+  // If this field is empty then this NetworkPolicy does not affect ingress isolation.
+  // If this field is present and contains at least one rule, this policy allows any traffic
+  // which matches at least one of the ingress rules in this list.
+  repeated NetworkPolicyIngressRule ingress = 2;
+}
+
 // Pod Security Policy governs the ability to make requests that affect the Security Context
 // that will be applied to a pod and container.
 message PodSecurityPolicy {
@@ -641,30 +738,54 @@ message PodSecurityPolicySpec {
   // privileged determines if a pod can request to be run as privileged.
   optional bool privileged = 1;
 
-  // capabilities is a list of capabilities that can be added.
-  repeated string capabilities = 2;
+  // DefaultAddCapabilities is the default set of capabilities that will be added to the container
+  // unless the pod spec specifically drops the capability.  You may not list a capabiility in both
+  // DefaultAddCapabilities and RequiredDropCapabilities.
+  repeated string defaultAddCapabilities = 2;
+
+  // RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
+  // are required to be dropped and cannot be added.
+  repeated string requiredDropCapabilities = 3;
+
+  // AllowedCapabilities is a list of capabilities that can be requested to add to the container.
+  // Capabilities in this field may be added at the pod author's discretion.
+  // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+  repeated string allowedCapabilities = 4;
 
   // volumes is a white list of allowed volume plugins.  Empty indicates that all plugins
   // may be used.
-  repeated string volumes = 3;
+  repeated string volumes = 5;
 
   // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
-  optional bool hostNetwork = 4;
+  optional bool hostNetwork = 6;
 
   // hostPorts determines which host port ranges are allowed to be exposed.
-  repeated HostPortRange hostPorts = 5;
+  repeated HostPortRange hostPorts = 7;
 
   // hostPID determines if the policy allows the use of HostPID in the pod spec.
-  optional bool hostPID = 6;
+  optional bool hostPID = 8;
 
   // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
-  optional bool hostIPC = 7;
+  optional bool hostIPC = 9;
 
   // seLinux is the strategy that will dictate the allowable labels that may be set.
-  optional SELinuxStrategyOptions seLinux = 8;
+  optional SELinuxStrategyOptions seLinux = 10;
 
   // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
-  optional RunAsUserStrategyOptions runAsUser = 9;
+  optional RunAsUserStrategyOptions runAsUser = 11;
+
+  // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+  optional SupplementalGroupsStrategyOptions supplementalGroups = 12;
+
+  // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+  optional FSGroupStrategyOptions fsGroup = 13;
+
+  // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
+  // system.  If the container specifically requests to run with a non-read only root file system
+  // the PSP should deny the pod.
+  // If set to false the container may run with a read only root file system if it wishes but it
+  // will not be forced to.
+  optional bool readOnlyRootFilesystem = 14;
 }
 
 // ReplicaSet represents the configuration of a ReplicaSet.
@@ -823,7 +944,7 @@ message ScaleStatus {
 
 // SubresourceReference contains enough information to let you inspect or modify the referred subresource.
 message SubresourceReference {
-  // Kind of the referent; More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds"
+  // Kind of the referent; More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
   optional string kind = 1;
 
   // Name of the referent; More info: http://releases.k8s.io/HEAD/docs/user-guide/identifiers.md#names
@@ -836,6 +957,16 @@ message SubresourceReference {
   optional string subresource = 4;
 }
 
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
+message SupplementalGroupsStrategyOptions {
+  // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+  optional string rule = 1;
+
+  // Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
+  // supplemental group then supply a single range with the same start and end.
+  repeated IDRange ranges = 2;
+}
+
 // A ThirdPartyResource is a generic representation of a resource, it is used by add-ons and plugins to add new resource
 // types to the API.  It consists of one or more Versions of the api.
 message ThirdPartyResource {

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/register.go

@@ -61,30 +61,9 @@ func addKnownTypes(scheme *runtime.Scheme) {
 		&ReplicaSetList{},
 		&PodSecurityPolicy{},
 		&PodSecurityPolicyList{},
+		&NetworkPolicy{},
+		&NetworkPolicyList{},
 	)
 	// Add the watch version that applies
 	versionedwatch.AddToGroupVersion(scheme, SchemeGroupVersion)
 }
-
-func (obj *Deployment) GetObjectKind() unversioned.ObjectKind                  { return &obj.TypeMeta }
-func (obj *DeploymentList) GetObjectKind() unversioned.ObjectKind              { return &obj.TypeMeta }
-func (obj *DeploymentRollback) GetObjectKind() unversioned.ObjectKind          { return &obj.TypeMeta }
-func (obj *HorizontalPodAutoscaler) GetObjectKind() unversioned.ObjectKind     { return &obj.TypeMeta }
-func (obj *HorizontalPodAutoscalerList) GetObjectKind() unversioned.ObjectKind { return &obj.TypeMeta }
-func (obj *Job) GetObjectKind() unversioned.ObjectKind                         { return &obj.TypeMeta }
-func (obj *JobList) GetObjectKind() unversioned.ObjectKind                     { return &obj.TypeMeta }
-func (obj *ReplicationControllerDummy) GetObjectKind() unversioned.ObjectKind  { return &obj.TypeMeta }
-func (obj *Scale) GetObjectKind() unversioned.ObjectKind                       { return &obj.TypeMeta }
-func (obj *ThirdPartyResource) GetObjectKind() unversioned.ObjectKind          { return &obj.TypeMeta }
-func (obj *ThirdPartyResourceList) GetObjectKind() unversioned.ObjectKind      { return &obj.TypeMeta }
-func (obj *DaemonSet) GetObjectKind() unversioned.ObjectKind                   { return &obj.TypeMeta }
-func (obj *DaemonSetList) GetObjectKind() unversioned.ObjectKind               { return &obj.TypeMeta }
-func (obj *ThirdPartyResourceData) GetObjectKind() unversioned.ObjectKind      { return &obj.TypeMeta }
-func (obj *ThirdPartyResourceDataList) GetObjectKind() unversioned.ObjectKind  { return &obj.TypeMeta }
-func (obj *Ingress) GetObjectKind() unversioned.ObjectKind                     { return &obj.TypeMeta }
-func (obj *IngressList) GetObjectKind() unversioned.ObjectKind                 { return &obj.TypeMeta }
-func (obj *ListOptions) GetObjectKind() unversioned.ObjectKind                 { return &obj.TypeMeta }
-func (obj *ReplicaSet) GetObjectKind() unversioned.ObjectKind                  { return &obj.TypeMeta }
-func (obj *ReplicaSetList) GetObjectKind() unversioned.ObjectKind              { return &obj.TypeMeta }
-func (obj *PodSecurityPolicy) GetObjectKind() unversioned.ObjectKind           { return &obj.TypeMeta }
-func (obj *PodSecurityPolicyList) GetObjectKind() unversioned.ObjectKind       { return &obj.TypeMeta }

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/types.go

@@ -68,7 +68,7 @@ type ReplicationControllerDummy struct {
 
 // SubresourceReference contains enough information to let you inspect or modify the referred subresource.
 type SubresourceReference struct {
-	// Kind of the referent; More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds"
+	// Kind of the referent; More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds
 	Kind string `json:"kind,omitempty" protobuf:"bytes,1,opt,name=kind"`
 	// Name of the referent; More info: http://releases.k8s.io/HEAD/docs/user-guide/identifiers.md#names
 	Name string `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"`
@@ -912,6 +912,8 @@ type ReplicaSetStatus struct {
 	ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,3,opt,name=observedGeneration"`
 }
 
+// +genclient=true,nonNamespaced=true
+
 // Pod Security Policy governs the ability to make requests that affect the Security Context
 // that will be applied to a pod and container.
 type PodSecurityPolicy struct {
@@ -928,29 +930,51 @@ type PodSecurityPolicy struct {
 type PodSecurityPolicySpec struct {
 	// privileged determines if a pod can request to be run as privileged.
 	Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"`
-	// capabilities is a list of capabilities that can be added.
-	Capabilities []v1.Capability `json:"capabilities,omitempty" protobuf:"bytes,2,rep,name=capabilities,casttype=k8s.io/kubernetes/pkg/api/v1.Capability"`
+	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
+	// unless the pod spec specifically drops the capability.  You may not list a capabiility in both
+	// DefaultAddCapabilities and RequiredDropCapabilities.
+	DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/kubernetes/pkg/api/v1.Capability"`
+	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
+	// are required to be dropped and cannot be added.
+	RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/kubernetes/pkg/api/v1.Capability"`
+	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
+	// Capabilities in this field may be added at the pod author's discretion.
+	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+	AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/kubernetes/pkg/api/v1.Capability"`
 	// volumes is a white list of allowed volume plugins.  Empty indicates that all plugins
 	// may be used.
-	Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,3,rep,name=volumes,casttype=FSType"`
+	Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"`
 	// hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
-	HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,4,opt,name=hostNetwork"`
+	HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"`
 	// hostPorts determines which host port ranges are allowed to be exposed.
-	HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,5,rep,name=hostPorts"`
+	HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"`
 	// hostPID determines if the policy allows the use of HostPID in the pod spec.
-	HostPID bool `json:"hostPID,omitempty" protobuf:"varint,6,opt,name=hostPID"`
+	HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"`
 	// hostIPC determines if the policy allows the use of HostIPC in the pod spec.
-	HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,7,opt,name=hostIPC"`
+	HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"`
 	// seLinux is the strategy that will dictate the allowable labels that may be set.
-	SELinux SELinuxStrategyOptions `json:"seLinux,omitempty" protobuf:"bytes,8,opt,name=seLinux"`
+	SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"`
 	// runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
-	RunAsUser RunAsUserStrategyOptions `json:"runAsUser,omitempty" protobuf:"bytes,9,opt,name=runAsUser"`
+	RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"`
+	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+	SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"`
+	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+	FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"`
+	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
+	// system.  If the container specifically requests to run with a non-read only root file system
+	// the PSP should deny the pod.
+	// If set to false the container may run with a read only root file system if it wishes but it
+	// will not be forced to.
+	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
 }
 
 // FS Type gives strong typing to different file systems that are used by volumes.
 type FSType string
 
 var (
+	AzureFile             FSType = "azureFile"
+	Flocker               FSType = "flocker"
+	FlexVolume            FSType = "flexVolume"
 	HostPath              FSType = "hostPath"
 	EmptyDir              FSType = "emptyDir"
 	GCEPersistentDisk     FSType = "gcePersistentDisk"
@@ -966,6 +990,8 @@ var (
 	CephFS                FSType = "cephFS"
 	DownwardAPI           FSType = "downwardAPI"
 	FC                    FSType = "fc"
+	ConfigMap             FSType = "configMap"
+	All                   FSType = "*"
 )
 
 // Host Port Range defines a range of host ports that will be enabled by a policy
@@ -1026,6 +1052,46 @@ const (
 	RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
 )
 
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
+type FSGroupStrategyOptions struct {
+	// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+	Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"`
+	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
+	// fs group then supply a single range with the same start and end.
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+}
+
+// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
+// SecurityContext
+type FSGroupStrategyType string
+
+const (
+	// container must have FSGroup of X applied.
+	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
+	// container may make requests for any FSGroup labels.
+	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
+)
+
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
+type SupplementalGroupsStrategyOptions struct {
+	// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+	Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"`
+	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
+	// supplemental group then supply a single range with the same start and end.
+	Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
+}
+
+// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
+// groups for a SecurityContext.
+type SupplementalGroupsStrategyType string
+
+const (
+	// container must run as a particular gid.
+	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
+	// container may make requests for any gid.
+	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
+)
+
 // Pod Security Policy List is a list of PodSecurityPolicy objects.
 type PodSecurityPolicyList struct {
 	unversioned.TypeMeta `json:",inline"`
@@ -1036,3 +1102,94 @@ type PodSecurityPolicyList struct {
 	// Items is a list of schema objects.
 	Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
 }
+
+type NetworkPolicy struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+	v1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Specification of the desired behavior for this NetworkPolicy.
+	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+}
+
+type NetworkPolicySpec struct {
+	// Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
+	// is applied to any pods selected by this field. Multiple network policies can select the
+	// same set of pods.  In this case, the ingress rules for each are combined additively.
+	// This field is NOT optional and follows standard label selector semantics.
+	// An empty podSelector matches all pods in this namespace.
+	PodSelector LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`
+
+	// List of ingress rules to be applied to the selected pods.
+	// Traffic is allowed to a pod if namespace.networkPolicy.ingress.isolation is undefined and cluster policy allows it,
+	// OR if the traffic source is the pod's local node,
+	// OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
+	// objects whose podSelector matches the pod.
+	// If this field is empty then this NetworkPolicy does not affect ingress isolation.
+	// If this field is present and contains at least one rule, this policy allows any traffic
+	// which matches at least one of the ingress rules in this list.
+	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
+}
+
+// This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
+type NetworkPolicyIngressRule struct {
+	// List of ports which should be made accessible on the pods selected for this rule.
+	// Each item in this list is combined using a logical OR.
+	// If this field is not provided, this rule matches all ports (traffic not restricted by port).
+	// If this field is empty, this rule matches no ports (no traffic matches).
+	// If this field is present and contains at least one item, then this rule allows traffic
+	// only if the traffic matches at least one port in the list.
+	// TODO: Update this to be a pointer to slice as soon as auto-generation supports it.
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of sources which should be able to access the pods selected for this rule.
+	// Items in this list are combined using a logical OR operation.
+	// If this field is not provided, this rule matches all sources (traffic not restricted by source).
+	// If this field is empty, this rule matches no sources (no traffic matches).
+	// If this field is present and contains at least on item, this rule allows traffic only if the
+	// traffic matches at least one item in the from list.
+	// TODO: Update this to be a pointer to slice as soon as auto-generation supports it.
+	From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
+}
+
+type NetworkPolicyPort struct {
+	// Optional.  The protocol (TCP or UDP) which traffic must match.
+	// If not specified, this field defaults to TCP.
+	Protocol *v1.Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol,casttype=k8s.io/kubernetes/pkg/api/v1.Protocol"`
+
+	// If specified, the port on the given protocol.  This can
+	// either be a numerical or named port on a pod.  If this field is not provided,
+	// this matches all port names and numbers.
+	// If present, only traffic on the specified protocol AND port
+	// will be matched.
+	Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"`
+}
+
+type NetworkPolicyPeer struct {
+	// Exactly one of the following must be specified.
+
+	// This is a label selector which selects Pods in this namespace.
+	// This field follows standard label selector semantics.
+	// If not provided, this selector selects no pods.
+	// If present but empty, this selector selects all pods in this namespace.
+	PodSelector *LabelSelector `json:"podSelector,omitempty" protobuf:"bytes,1,opt,name=podSelector"`
+
+	// Selects Namespaces using cluster scoped-labels.  This
+	// matches all pods in all namespaces selected by this label selector.
+	// This field follows standard label selector semantics.
+	// If omitted, this selector selects no namespaces.
+	// If present but empty, this selector selects all namespaces.
+	NamespaceSelector *LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,2,opt,name=namespaceSelector"`
+}
+
+// Network Policy List is a list of NetworkPolicy objects.
+type NetworkPolicyList struct {
+	unversioned.TypeMeta `json:",inline"`
+	// Standard list metadata.
+	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
+	unversioned.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+	// Items is a list of schema objects.
+	Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
+}

vendor/k8s.io/kubernetes/pkg/apis/extensions/v1beta1/types_swagger_doc_generated.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2015 The Kubernetes Authors All rights reserved.
+Copyright 2016 The Kubernetes Authors All rights reserved.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -186,6 +186,16 @@ func (ExportOptions) SwaggerDoc() map[string]string {
 	return map_ExportOptions
 }
 
+var map_FSGroupStrategyOptions = map[string]string{
+	"":       "FSGroupStrategyOptions defines the strategy type and options used to create the strategy.",
+	"rule":   "Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.",
+	"ranges": "Ranges are the allowed ranges of fs groups.  If you would like to force a single fs group then supply a single range with the same start and end.",
+}
+
+func (FSGroupStrategyOptions) SwaggerDoc() map[string]string {
+	return map_FSGroupStrategyOptions
+}
+
 var map_HTTPIngressPath = map[string]string{
 	"":        "HTTPIngressPath associates a path regex with a backend. Incoming urls matching the path are forwarded to the backend.",
 	"path":    "Path is a extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. Paths must begin with a '/'. If unspecified, the path defaults to a catch all sending traffic to the backend.",
@@ -446,6 +456,62 @@ func (ListOptions) SwaggerDoc() map[string]string {
 	return map_ListOptions
 }
 
+var map_NetworkPolicy = map[string]string{
+	"metadata": "Standard object's metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata",
+	"spec":     "Specification of the desired behavior for this NetworkPolicy.",
+}
+
+func (NetworkPolicy) SwaggerDoc() map[string]string {
+	return map_NetworkPolicy
+}
+
+var map_NetworkPolicyIngressRule = map[string]string{
+	"":      "This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.",
+	"ports": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is not provided, this rule matches all ports (traffic not restricted by port). If this field is empty, this rule matches no ports (no traffic matches). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"from":  "List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is not provided, this rule matches all sources (traffic not restricted by source). If this field is empty, this rule matches no sources (no traffic matches). If this field is present and contains at least on item, this rule allows traffic only if the traffic matches at least one item in the from list.",
+}
+
+func (NetworkPolicyIngressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyIngressRule
+}
+
+var map_NetworkPolicyList = map[string]string{
+	"":         "Network Policy List is a list of NetworkPolicy objects.",
+	"metadata": "Standard list metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata",
+	"items":    "Items is a list of schema objects.",
+}
+
+func (NetworkPolicyList) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyList
+}
+
+var map_NetworkPolicyPeer = map[string]string{
+	"podSelector":       "This is a label selector which selects Pods in this namespace. This field follows standard label selector semantics. If not provided, this selector selects no pods. If present but empty, this selector selects all pods in this namespace.",
+	"namespaceSelector": "Selects Namespaces using cluster scoped-labels.  This matches all pods in all namespaces selected by this label selector. This field follows standard label selector semantics. If omitted, this selector selects no namespaces. If present but empty, this selector selects all namespaces.",
+}
+
+func (NetworkPolicyPeer) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyPeer
+}
+
+var map_NetworkPolicyPort = map[string]string{
+	"protocol": "Optional.  The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP.",
+	"port":     "If specified, the port on the given protocol.  This can either be a numerical or named port on a pod.  If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.",
+}
+
+func (NetworkPolicyPort) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyPort
+}
+
+var map_NetworkPolicySpec = map[string]string{
+	"podSelector": "Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods.  In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
+	"ingress":     "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if namespace.networkPolicy.ingress.isolation is undefined and cluster policy allows it, OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not affect ingress isolation. If this field is present and contains at least one rule, this policy allows any traffic which matches at least one of the ingress rules in this list.",
+}
+
+func (NetworkPolicySpec) SwaggerDoc() map[string]string {
+	return map_NetworkPolicySpec
+}
+
 var map_PodSecurityPolicy = map[string]string{
 	"":         "Pod Security Policy governs the ability to make requests that affect the Security Context that will be applied to a pod and container.",
 	"metadata": "Standard object's metadata. More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata",
@@ -467,16 +533,21 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
 }
 
 var map_PodSecurityPolicySpec = map[string]string{
-	"":             "Pod Security Policy Spec defines the policy enforced.",
-	"privileged":   "privileged determines if a pod can request to be run as privileged.",
-	"capabilities": "capabilities is a list of capabilities that can be added.",
-	"volumes":      "volumes is a white list of allowed volume plugins.  Empty indicates that all plugins may be used.",
-	"hostNetwork":  "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
-	"hostPorts":    "hostPorts determines which host port ranges are allowed to be exposed.",
-	"hostPID":      "hostPID determines if the policy allows the use of HostPID in the pod spec.",
-	"hostIPC":      "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
-	"seLinux":      "seLinux is the strategy that will dictate the allowable labels that may be set.",
-	"runAsUser":    "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
+	"":                         "Pod Security Policy Spec defines the policy enforced.",
+	"privileged":               "privileged determines if a pod can request to be run as privileged.",
+	"defaultAddCapabilities":   "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.  You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
+	"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container.  These are required to be dropped and cannot be added.",
+	"allowedCapabilities":      "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
+	"volumes":                  "volumes is a white list of allowed volume plugins.  Empty indicates that all plugins may be used.",
+	"hostNetwork":              "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
+	"hostPorts":                "hostPorts determines which host port ranges are allowed to be exposed.",
+	"hostPID":                  "hostPID determines if the policy allows the use of HostPID in the pod spec.",
+	"hostIPC":                  "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
+	"seLinux":                  "seLinux is the strategy that will dictate the allowable labels that may be set.",
+	"runAsUser":                "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
+	"supplementalGroups":       "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
+	"fsGroup":                  "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
+	"readOnlyRootFilesystem":   "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
 }
 
 func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
@@ -605,7 +676,7 @@ func (ScaleStatus) SwaggerDoc() map[string]string {
 
 var map_SubresourceReference = map[string]string{
 	"":            "SubresourceReference contains enough information to let you inspect or modify the referred subresource.",
-	"kind":        "Kind of the referent; More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds\"",
+	"kind":        "Kind of the referent; More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#types-kinds",
 	"name":        "Name of the referent; More info: http://releases.k8s.io/HEAD/docs/user-guide/identifiers.md#names",
 	"apiVersion":  "API version of the referent",
 	"subresource": "Subresource name of the referent",
@@ -615,6 +686,16 @@ func (SubresourceReference) SwaggerDoc() map[string]string {
 	return map_SubresourceReference
 }
 
+var map_SupplementalGroupsStrategyOptions = map[string]string{
+	"":       "SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.",
+	"rule":   "Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.",
+	"ranges": "Ranges are the allowed ranges of supplemental groups.  If you would like to force a single supplemental group then supply a single range with the same start and end.",
+}
+
+func (SupplementalGroupsStrategyOptions) SwaggerDoc() map[string]string {
+	return map_SupplementalGroupsStrategyOptions
+}
+
 var map_ThirdPartyResource = map[string]string{
 	"":            "A ThirdPartyResource is a generic representation of a resource, it is used by add-ons and plugins to add new resource types to the API.  It consists of one or more Versions of the api.",
 	"metadata":    "Standard object metadata",