@@ -18955,7 +18955,8 @@

      "allowHostNetwork",

      "allowHostPorts",

      "allowHostPID",

-     "allowHostIPC"

+     "allowHostIPC",

+     "readOnlyRootFilesystem"

     ],

     "properties": {

      "kind": {

@@ -19035,6 +19036,10 @@

       "$ref": "v1.FSGroupStrategyOptions",

       "description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext."

      },

+     "readOnlyRootFilesystem": {

+      "type": "boolean",

+      "description": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."

+     },

      "users": {

       "type": "array",

       "items": {

@@ -19377,4 +19382,4 @@

     }

    }

   }

- }

\ No newline at end of file

+ }

@@ -2772,6 +2772,7 @@ func DeepCopy_api_SecurityContextConstraints(in SecurityContextConstraints, out

 	if err := DeepCopy_api_FSGroupStrategyOptions(in.FSGroup, &out.FSGroup, c); err != nil {

 		return err

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		in, out := in.Users, &out.Users

 		*out = make([]string, len(in))

@@ -2585,6 +2585,12 @@ type SecurityContextConstraints struct {

 	SupplementalGroups SupplementalGroupsStrategyOptions

 	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.

 	FSGroup FSGroupStrategyOptions

+	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file

+	// system.  If the container specifically requests to run with a non-read only root file system

+	// the SCC should deny the pod.

+	// If set to false the container may run with a read only root file system if it wishes but it

+	// will not be forced to.

+	ReadOnlyRootFilesystem bool

 	// The users who have permissions to use this security context constraints

 	Users []string

@@ -3039,6 +3039,7 @@ func autoConvert_api_SecurityContextConstraints_To_v1_SecurityContextConstraints

 	if err := Convert_api_FSGroupStrategyOptions_To_v1_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {

 		return err

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		out.Users = make([]string, len(in.Users))

 		for i := range in.Users {

@@ -6440,6 +6441,7 @@ func autoConvert_v1_SecurityContextConstraints_To_api_SecurityContextConstraints

 	if err := Convert_v1_FSGroupStrategyOptions_To_api_FSGroupStrategyOptions(&in.FSGroup, &out.FSGroup, s); err != nil {

 		return err

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		out.Users = make([]string, len(in.Users))

 		for i := range in.Users {

@@ -2395,6 +2395,7 @@ func deepCopy_v1_SecurityContextConstraints(in SecurityContextConstraints, out *

 	if err := deepCopy_v1_FSGroupStrategyOptions(in.FSGroup, &out.FSGroup, c); err != nil {

 		return err

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		out.Users = make([]string, len(in.Users))

 		for i := range in.Users {

@@ -3034,6 +3034,12 @@ type SecurityContextConstraints struct {

 	SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups,omitempty" description:"strategy used to generate supplemental groups"`

 	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.

 	FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" description:"strategy used to generate fsGroup"`

+	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file

+	// system.  If the container specifically requests to run with a non-read only root file system

+	// the SCC should deny the pod.

+	// If set to false the container may run with a read only root file system if it wishes but it

+	// will not be forced to.

+	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem" description:"require containers to run with a read only root filesystem"`

 	// The users who have permissions to use this security context constraints

 	Users []string `json:"users,omitempty" description:"users allowed to use this SecurityContextConstraints"`

@@ -1524,6 +1524,7 @@ var map_SecurityContextConstraints = map[string]string{

 	"runAsUser":                "RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.",

 	"supplementalGroups":       "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",

 	"fsGroup":                  "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",

+	"readOnlyRootFilesystem":   "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",

 	"users":                    "The users who have permissions to use this security context constraints",

 	"groups":                   "The groups that have permission to use this security context constraints",

 }

@@ -2086,6 +2086,7 @@ func convert_api_SecurityContextConstraints_To_v1beta3_SecurityContextConstraint

 	} else {

 		out.RequiredDropCapabilities = nil

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		out.Users = make([]string, len(in.Users))

 		for i := range in.Users {

@@ -4350,6 +4351,7 @@ func convert_v1beta3_SecurityContextConstraints_To_api_SecurityContextConstraint

 	} else {

 		out.RequiredDropCapabilities = nil

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		out.Users = make([]string, len(in.Users))

 		for i := range in.Users {

@@ -2085,6 +2085,7 @@ func deepCopy_v1beta3_SecurityContextConstraints(in SecurityContextConstraints,

 	} else {

 		out.RequiredDropCapabilities = nil

 	}

+	out.ReadOnlyRootFilesystem = in.ReadOnlyRootFilesystem

 	if in.Users != nil {

 		out.Users = make([]string, len(in.Users))

 		for i := range in.Users {

@@ -2121,6 +2121,12 @@ type SecurityContextConstraints struct {

 	SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups,omitempty" description:"strategy used to generate supplemental groups"`

 	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.

 	FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" description:"strategy used to generate fsGroup"`

+	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file

+	// system.  If the container specifically requests to run with a non-read only root file system

+	// the SCC should deny the pod.

+	// If set to false the container may run with a read only root file system if it wishes but it

+	// will not be forced to.

+	ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem" description:"require containers to run with a read only root filesystem"`

 	// The users who have permissions to use this security context constraints

 	Users []string `json:"users,omitempty" description:"users allowed to use this SecurityContextConstraints"`

@@ -335,13 +335,13 @@ type versionToResourceToFieldMapping map[unversioned.GroupVersion]resourceTypeTo

 func (v versionToResourceToFieldMapping) filterField(groupVersion *unversioned.GroupVersion, resourceType, field, value string) (newField, newValue string, err error) {

 	rMapping, ok := v[*groupVersion]

 	if !ok {

-		glog.Warningf("Field selector: %v - %v - %v - %v: need to check if this is versioned correctly.", groupVersion, resourceType, field, value)

+		// glog.Warningf("Field selector: %v - %v - %v - %v: need to check if this is versioned correctly.", groupVersion, resourceType, field, value)

 		return field, value, nil

 	}

 	newField, newValue, err = rMapping.filterField(resourceType, field, value)

 	if err != nil {

 		// This is only a warning until we find and fix all of the client's usages.

-		glog.Warningf("Field selector: %v - %v - %v - %v: need to check if this is versioned correctly.", groupVersion, resourceType, field, value)

+		// glog.Warningf("Field selector: %v - %v - %v - %v: need to check if this is versioned correctly.", groupVersion, resourceType, field, value)

 		return field, value, nil

 	}

 	return newField, newValue, nil

@@ -28,8 +28,8 @@ import (

 	"github.com/golang/glog"

 	"github.com/spf13/cobra"

 	"k8s.io/kubernetes/pkg/api"

-	"k8s.io/kubernetes/pkg/client/restclient"

 	apierrors "k8s.io/kubernetes/pkg/api/errors"

+	"k8s.io/kubernetes/pkg/client/restclient"

 	client "k8s.io/kubernetes/pkg/client/unversioned"

 	"k8s.io/kubernetes/pkg/client/unversioned/remotecommand"

 	cmdutil "k8s.io/kubernetes/pkg/kubectl/cmd/util"

@@ -98,7 +98,6 @@ func RunHistory(f *cmdutil.Factory, cmd *cobra.Command, out io.Writer, args []st

 			continue

 		}

-		formattedOutput := ""

 		if revisionDetail > 0 {

 			// Print details of a specific revision

 			template, ok := historyInfo.RevisionToTemplate[revisionDetail]

@@ -106,16 +105,16 @@ func RunHistory(f *cmdutil.Factory, cmd *cobra.Command, out io.Writer, args []st

 				return fmt.Errorf("unable to find revision %d of %s %q", revisionDetail, mapping.Resource, info.Name)

 			}

 			fmt.Fprintf(out, "%s %q revision %d\n", mapping.Resource, info.Name, revisionDetail)

-			formattedOutput, err = kubectl.DescribePodTemplate(template)

+			kubectl.DescribePodTemplate(template, out)

 		} else {

 			// Print all revisions

-			formattedOutput, err = kubectl.PrintRolloutHistory(historyInfo, mapping.Resource, info.Name)

-		}

-		if err != nil {

-			errs = append(errs, err)

-			continue

+			formattedOutput, printErr := kubectl.PrintRolloutHistory(historyInfo, mapping.Resource, info.Name)

+			if printErr != nil {

+				errs = append(errs, printErr)

+				continue

+			}

+			fmt.Fprintf(out, "%s\n", formattedOutput)

 		}

-		fmt.Fprintf(out, "%s\n", formattedOutput)

 	}

 	return errors.NewAggregate(errs)

@@ -494,6 +494,7 @@ func describeSecurityContextConstraints(scc *api.SecurityContextConstraints) (st

 		fmt.Fprintf(out, "  Allow Host Ports:\t%t\n", scc.AllowHostPorts)

 		fmt.Fprintf(out, "  Allow Host PID:\t%t\n", scc.AllowHostPID)

 		fmt.Fprintf(out, "  Allow Host IPC:\t%t\n", scc.AllowHostIPC)

+		fmt.Fprintf(out, "  Read Only Root Filesystem:\t%t\n", scc.ReadOnlyRootFilesystem)

 		fmt.Fprintf(out, "  Run As User Strategy: %s\t\n", string(scc.RunAsUser.Type))

 		uid := ""

@@ -626,7 +627,7 @@ func describePod(pod *api.Pod, events *api.EventList) (string, error) {

 		fmt.Fprintf(out, "IP:\t%s\n", pod.Status.PodIP)

 		fmt.Fprintf(out, "Controllers:\t%s\n", printControllers(pod.Annotations))

 		fmt.Fprintf(out, "Containers:\n")

-		DescribeContainers(pod.Spec.Containers, pod.Status.ContainerStatuses, EnvValueRetriever(pod), out)

+		describeContainers(pod.Spec.Containers, pod.Status.ContainerStatuses, EnvValueRetriever(pod), out)

 		if len(pod.Status.Conditions) > 0 {

 			fmt.Fprint(out, "Conditions:\n  Type\tStatus\n")

 			for _, c := range pod.Status.Conditions {

@@ -635,7 +636,7 @@ func describePod(pod *api.Pod, events *api.EventList) (string, error) {

 					c.Status)

 			}

 		}

-		describeVolumes(pod.Spec.Volumes, out)

+		describeVolumes(pod.Spec.Volumes, out, "")

 		if events != nil {

 			DescribeEvents(events, out)

 		}

@@ -655,12 +656,12 @@ func printControllers(annotation map[string]string) string {

 	return "<none>"

 }

-func describeVolumes(volumes []api.Volume, out io.Writer) {

+func describeVolumes(volumes []api.Volume, out io.Writer, space string) {

 	if volumes == nil || len(volumes) == 0 {

-		fmt.Fprint(out, "No volumes.\n")

+		fmt.Fprintf(out, "%sNo volumes.\n", space)

 		return

 	}

-	fmt.Fprint(out, "Volumes:\n")

+	fmt.Fprintf(out, "%sVolumes:\n", space)

 	for _, volume := range volumes {

 		fmt.Fprintf(out, "  %v:\n", volume.Name)

 		switch {

@@ -879,8 +880,8 @@ func (d *PersistentVolumeClaimDescriber) Describe(namespace, name string) (strin

 	})

 }

-// DescribeContainers is exported for consumers in other API groups that have container templates

-func DescribeContainers(containers []api.Container, containerStatuses []api.ContainerStatus, resolverFn EnvVarResolverFunc, out io.Writer) {

+// describeContainers is exported for consumers in other API groups that have container templates

+func describeContainers(containers []api.Container, containerStatuses []api.ContainerStatus, resolverFn EnvVarResolverFunc, out io.Writer) {

 	statuses := map[string]api.ContainerStatus{}

 	for _, status := range containerStatuses {

 		statuses[status.Name] = status

@@ -1096,7 +1097,7 @@ func describeReplicationController(controller *api.ReplicationController, events

 		fmt.Fprintf(out, "Replicas:\t%d current / %d desired\n", controller.Status.Replicas, controller.Spec.Replicas)

 		fmt.Fprintf(out, "Pods Status:\t%d Running / %d Waiting / %d Succeeded / %d Failed\n", running, waiting, succeeded, failed)

 		if controller.Spec.Template != nil {

-			describeVolumes(controller.Spec.Template.Spec.Volumes, out)

+			describeVolumes(controller.Spec.Template.Spec.Volumes, out, "")

 		}

 		if events != nil {

 			DescribeEvents(events, out)

@@ -1105,18 +1106,21 @@ func describeReplicationController(controller *api.ReplicationController, events

 	})

 }

-func DescribePodTemplate(template *api.PodTemplateSpec) (string, error) {

-	return tabbedString(func(out io.Writer) error {

-		if template == nil {

-			fmt.Fprintf(out, "<unset>")

-			return nil

-		}

-		fmt.Fprintf(out, "Labels:\t%s\n", labels.FormatLabels(template.Labels))

-		fmt.Fprintf(out, "Annotations:\t%s\n", labels.FormatLabels(template.Annotations))

-		fmt.Fprintf(out, "Image(s):\t%s\n", makeImageList(&template.Spec))

-		describeVolumes(template.Spec.Volumes, out)

-		return nil

-	})

+func DescribePodTemplate(template *api.PodTemplateSpec, out io.Writer) {

+	if template == nil {

+		fmt.Fprintf(out, "  <unset>")

+		return

+	}

+	fmt.Fprintf(out, "  Labels:\t%s\n", labels.FormatLabels(template.Labels))

+	if len(template.Annotations) > 0 {

+		fmt.Fprintf(out, "  Annotations:\t%s\n", labels.FormatLabels(template.Annotations))

+	}

+	if len(template.Spec.ServiceAccountName) > 0 {

+		fmt.Fprintf(out, "  Service Account:\t%s\n", template.Spec.ServiceAccountName)

+	}

+	fmt.Fprintf(out, "  Containers:\n")

+	describeContainers(template.Spec.Containers, nil, nil, out)

+	describeVolumes(template.Spec.Volumes, out, "  ")

 }

 // ReplicaSetDescriber generates information about a ReplicaSet and the pods it has created.

@@ -1157,7 +1161,7 @@ func describeReplicaSet(rs *extensions.ReplicaSet, events *api.EventList, runnin

 		fmt.Fprintf(out, "Labels:\t%s\n", labels.FormatLabels(rs.Labels))

 		fmt.Fprintf(out, "Replicas:\t%d current / %d desired\n", rs.Status.Replicas, rs.Spec.Replicas)

 		fmt.Fprintf(out, "Pods Status:\t%d Running / %d Waiting / %d Succeeded / %d Failed\n", running, waiting, succeeded, failed)

-		describeVolumes(rs.Spec.Template.Spec.Volumes, out)

+		describeVolumes(rs.Spec.Template.Spec.Volumes, out, "")

 		if events != nil {

 			DescribeEvents(events, out)

 		}

@@ -1202,7 +1206,7 @@ func describeJob(job *extensions.Job, events *api.EventList) (string, error) {

 		}

 		fmt.Fprintf(out, "Labels:\t%s\n", labels.FormatLabels(job.Labels))

 		fmt.Fprintf(out, "Pods Statuses:\t%d Running / %d Succeeded / %d Failed\n", job.Status.Active, job.Status.Succeeded, job.Status.Failed)

-		describeVolumes(job.Spec.Template.Spec.Volumes, out)

+		describeVolumes(job.Spec.Template.Spec.Volumes, out, "")

 		if events != nil {

 			DescribeEvents(events, out)

 		}

@@ -268,7 +268,7 @@ func TestDescribeContainers(t *testing.T) {

 				ContainerStatuses: []api.ContainerStatus{testCase.status},

 			},

 		}

-		DescribeContainers(pod.Spec.Containers, pod.Status.ContainerStatuses, EnvValueRetriever(&pod), out)

+		describeContainers(pod.Spec.Containers, pod.Status.ContainerStatuses, EnvValueRetriever(&pod), out)

 		output := out.String()

 		for _, expected := range testCase.expectedElements {

 			if !strings.Contains(output, expected) {

@@ -420,7 +420,7 @@ var withNamespacePrefixColumns = []string{"NAMESPACE"} // TODO(erictune): print

 var deploymentColumns = []string{"NAME", "DESIRED", "CURRENT", "UP-TO-DATE", "AVAILABLE", "AGE"}

 var configMapColumns = []string{"NAME", "DATA", "AGE"}

 var podSecurityPolicyColumns = []string{"NAME", "PRIV", "CAPS", "VOLUMEPLUGINS", "SELINUX", "RUNASUSER"}

-var securityContextConstraintsColumns = []string{"NAME", "PRIV", "CAPS", "HOSTDIR", "SELINUX", "RUNASUSER", "FSGROUP", "SUPGROUP", "PRIORITY"}

+var securityContextConstraintsColumns = []string{"NAME", "PRIV", "CAPS", "HOSTDIR", "SELINUX", "RUNASUSER", "FSGROUP", "SUPGROUP", "PRIORITY", "READONLYROOTFS"}

 // addDefaultHandlers adds print handlers for default Kubernetes types.

 func (h *HumanReadablePrinter) addDefaultHandlers() {

@@ -1950,9 +1950,9 @@ func printSecurityContextConstraints(item *api.SecurityContextConstraints, w io.

 		priority = strconv.Itoa(*item.Priority)

 	}

-	_, err := fmt.Fprintf(w, "%s\t%t\t%v\t%t\t%s\t%s\t%s\t%s\t%s\n", item.Name, item.AllowPrivilegedContainer,

+	_, err := fmt.Fprintf(w, "%s\t%t\t%v\t%t\t%s\t%s\t%s\t%s\t%s\t%t\n", item.Name, item.AllowPrivilegedContainer,

 		item.AllowedCapabilities, item.AllowHostDirVolumePlugin, item.SELinuxContext.Type,

-		item.RunAsUser.Type, item.FSGroup.Type, item.SupplementalGroups.Type, priority)

+		item.RunAsUser.Type, item.FSGroup.Type, item.SupplementalGroups.Type, priority, item.ReadOnlyRootFilesystem)

 	return err

 }

@@ -1104,11 +1104,6 @@ func (kl *Kubelet) initialNodeStatus() (*api.Node, error) {

 		}

 	} else {

 		node.Spec.ExternalID = kl.hostname

-		// If no cloud provider is defined - use the one detected by cadvisor

-		info, err := kl.GetCachedMachineInfo()

-		if err == nil {

-			kl.updateCloudProviderFromMachineInfo(node, info)

-		}

 	}

 	if err := kl.setNodeStatus(node); err != nil {

 		return nil, err

@@ -2870,17 +2865,6 @@ func (kl *Kubelet) setNodeAddress(node *api.Node) error {

 	return nil

 }

-func (kl *Kubelet) updateCloudProviderFromMachineInfo(

-	node *api.Node,

-	info *cadvisorapi.MachineInfo) {

-

-	if info.CloudProvider != cadvisorapi.UnknownProvider &&

-		info.CloudProvider != cadvisorapi.Baremetal {

-		node.Spec.ProviderID = strings.ToLower(string(info.CloudProvider)) +

-			":////" + string(info.InstanceID)

-	}

-}

-

 func (kl *Kubelet) setNodeStatusMachineInfo(node *api.Node) {

 	// TODO: Post NotReady if we cannot get MachineInfo from cAdvisor. This needs to start

 	// cAdvisor locally, e.g. for test-cmd.sh, and in integration test.

@@ -159,6 +159,11 @@ func DetermineEffectiveSecurityContext(pod *api.Pod, container *api.Container) *

 		*effectiveSc.RunAsNonRoot = *containerSc.RunAsNonRoot

 	}

+	if containerSc.ReadOnlyRootFilesystem != nil {

+		effectiveSc.ReadOnlyRootFilesystem = new(bool)

+		*effectiveSc.ReadOnlyRootFilesystem = *containerSc.ReadOnlyRootFilesystem

+	}

+

 	return effectiveSc

 }

@@ -181,6 +181,13 @@ func (s *simpleProvider) CreateContainerSecurityContext(pod *api.Pod, container

 	}

 	sc.Capabilities = caps

+	// if the SCC requires a read only root filesystem and the container has not made a specific

+	// request then default ReadOnlyRootFilesystem to true.

+	if s.scc.ReadOnlyRootFilesystem && sc.ReadOnlyRootFilesystem == nil {

+		readOnlyRootFS := true

+		sc.ReadOnlyRootFilesystem = &readOnlyRootFS

+	}

+

 	return sc, nil

 }

@@ -271,6 +278,14 @@ func (s *simpleProvider) ValidateContainerSecurityContext(pod *api.Pod, containe

 		allErrs = append(allErrs, field.Invalid(fldPath.Child("hostIPC"), pod.Spec.SecurityContext.HostIPC, "Host IPC is not allowed to be used"))

 	}

+	if s.scc.ReadOnlyRootFilesystem {

+		if sc.ReadOnlyRootFilesystem == nil {

+			allErrs = append(allErrs, field.Invalid(fldPath.Child("readOnlyRootFilesystem"), sc.ReadOnlyRootFilesystem, "ReadOnlyRootFilesystem may not be nil and must be set to true"))

+		} else if !*sc.ReadOnlyRootFilesystem {

+			allErrs = append(allErrs, field.Invalid(fldPath.Child("readOnlyRootFilesystem"), *sc.ReadOnlyRootFilesystem, "ReadOnlyRootFilesystem must be set to true"))

+		}

+	}

+

 	return allErrs

 }

@@ -129,6 +129,8 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {

 			SupplementalGroups: api.SupplementalGroupsStrategyOptions{

 				Type: api.SupplementalGroupsStrategyRunAsAny,

 			},

+			// mutates the container SC by defaulting to true if container sets nil

+			ReadOnlyRootFilesystem: true,

 		}

 	}

@@ -141,7 +143,7 @@ func TestCreateContainerSecurityContextNonmutating(t *testing.T) {

 	}

 	sc, err := provider.CreateContainerSecurityContext(pod, &pod.Spec.Containers[0])

 	if err != nil {

-		t.Fatal("unable to create provider %v", err)

+		t.Fatal("unable to create container security context %v", err)

 	}

 	// The generated security context should have filled in missing options, so they should differ

@@ -316,6 +318,13 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {

 	failHostPortPod := defaultPod()

 	failHostPortPod.Spec.Containers[0].Ports = []api.ContainerPort{{HostPort: 1}}

+	readOnlyRootFSSCC := defaultSCC()

+	readOnlyRootFSSCC.ReadOnlyRootFilesystem = true

+

+	readOnlyRootFSPodFalse := defaultPod()

+	readOnlyRootFS := false

+	readOnlyRootFSPodFalse.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = &readOnlyRootFS

+

 	errorCases := map[string]struct {

 		pod           *api.Pod

 		scc           *api.SecurityContextConstraints

@@ -351,6 +360,16 @@ func TestValidateContainerSecurityContextFailures(t *testing.T) {

 			scc:           defaultSCC(),

 			expectedError: "Host ports are not allowed to be used",

 		},

+		"failReadOnlyRootFS - nil": {

+			pod:           defaultPod(),

+			scc:           readOnlyRootFSSCC,

+			expectedError: "ReadOnlyRootFilesystem may not be nil and must be set to true",

+		},

+		"failReadOnlyRootFS - false": {

+			pod:           readOnlyRootFSPodFalse,

+			scc:           readOnlyRootFSSCC,

+			expectedError: "ReadOnlyRootFilesystem must be set to true",

+		},

 	}

 	for k, v := range errorCases {

@@ -545,6 +564,14 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {

 	hostPortPod := defaultPod()

 	hostPortPod.Spec.Containers[0].Ports = []api.ContainerPort{{HostPort: 1}}

+	readOnlyRootFSPodFalse := defaultPod()

+	readOnlyRootFSFalse := false

+	readOnlyRootFSPodFalse.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = &readOnlyRootFSFalse

+

+	readOnlyRootFSPodTrue := defaultPod()

+	readOnlyRootFSTrue := true

+	readOnlyRootFSPodTrue.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = &readOnlyRootFSTrue

+

 	errorCases := map[string]struct {

 		pod *api.Pod

 		scc *api.SecurityContextConstraints

@@ -577,6 +604,18 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {

 			pod: hostPortPod,

 			scc: hostPortSCC,

 		},

+		"pass read only root fs - nil": {

+			pod: defaultPod(),

+			scc: defaultSCC(),

+		},

+		"pass read only root fs - false": {

+			pod: readOnlyRootFSPodFalse,

+			scc: defaultSCC(),

+		},

+		"pass read only root fs - true": {

+			pod: readOnlyRootFSPodTrue,

+			scc: defaultSCC(),

+		},

 	}

 	for k, v := range errorCases {

@@ -592,6 +631,85 @@ func TestValidateContainerSecurityContextSuccess(t *testing.T) {

 	}

 }

+func TestGenerateContainerSecurityContextReadOnlyRootFS(t *testing.T) {

+	trueSCC := defaultSCC()

+	trueSCC.ReadOnlyRootFilesystem = true

+

+	trueVal := true

+	expectTrue := &trueVal

+	falseVal := false

+	expectFalse := &falseVal

+

+	falsePod := defaultPod()

+	falsePod.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = expectFalse

+

+	truePod := defaultPod()

+	truePod.Spec.Containers[0].SecurityContext.ReadOnlyRootFilesystem = expectTrue

+

+	tests := map[string]struct {

+		pod      *api.Pod

+		scc      *api.SecurityContextConstraints

+		expected *bool

+	}{

+		"false scc, nil sc": {

+			scc:      defaultSCC(),

+			pod:      defaultPod(),

+			expected: nil,

+		},

+		"false scc, false sc": {

+			scc:      defaultSCC(),

+			pod:      falsePod,

+			expected: expectFalse,

+		},

+		"false scc, true sc": {

+			scc:      defaultSCC(),

+			pod:      truePod,

+			expected: expectTrue,

+		},

+		"true scc, nil sc": {

+			scc:      trueSCC,

+			pod:      defaultPod(),

+			expected: expectTrue,

+		},

+		"true scc, false sc": {

+			scc: trueSCC,

+			pod: falsePod,

+			// expect false even though it defaults to true to ensure it doesn't change set values

+			// validation catches the mismatch, not generation

+			expected: expectFalse,

+		},

+		"true scc, true sc": {

+			scc:      trueSCC,

+			pod:      truePod,

+			expected: expectTrue,

+		},

+	}

+

+	for k, v := range tests {

+		provider, err := NewSimpleProvider(v.scc)

+		if err != nil {

+			t.Errorf("%s unable to create provider %v", k, err)

+			continue

+		}

+		sc, err := provider.CreateContainerSecurityContext(v.pod, &v.pod.Spec.Containers[0])

+		if err != nil {

+			t.Errorf("%s unable to create container security context %v", k, err)

+			continue

+		}

+

+		if v.expected == nil && sc.ReadOnlyRootFilesystem != nil {

+			t.Errorf("%s expected a nil ReadOnlyRootFilesystem but got %t", k, *sc.ReadOnlyRootFilesystem)

+		}

+		if v.expected != nil && sc.ReadOnlyRootFilesystem == nil {

+			t.Errorf("%s expected a non nil ReadOnlyRootFilesystem but recieved nil", k)

+		}

+		if v.expected != nil && sc.ReadOnlyRootFilesystem != nil && (*v.expected != *sc.ReadOnlyRootFilesystem) {

+			t.Errorf("%s expected a non nil ReadOnlyRootFilesystem set to %t but got %t", k, *v.expected, *sc.ReadOnlyRootFilesystem)

+		}

+

+	}

+}

+

 func defaultSCC() *api.SecurityContextConstraints {

 	return &api.SecurityContextConstraints{

 		ObjectMeta: api.ObjectMeta{

@@ -30,11 +30,9 @@ import (

 // This test requires that --terminated-pod-gc-threshold=100 be set on the controller manager

 //

 // Slow by design (7 min)

-var _ = Describe("Garbage collector [Slow]", func() {

+var _ = Describe("Garbage collector [Feature:GarbageCollector] [Slow]", func() {

 	f := NewDefaultFramework("garbage-collector")

 	It("should handle the creation of 1000 pods", func() {

-		SkipUnlessProviderIs("gce")

-

 		var count int

 		for count < 1000 {

 			pod, err := createTerminatingPod(f)

@@ -18959,7 +18959,8 @@

      "allowHostNetwork",

      "allowHostPorts",

      "allowHostPID",

-     "allowHostIPC"

+     "allowHostIPC",

+     "readOnlyRootFilesystem"

     ],

     "properties": {

      "kind": {

@@ -19039,6 +19040,10 @@

       "$ref": "v1.FSGroupStrategyOptions",

       "description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext."

      },

+     "readOnlyRootFilesystem": {

+      "type": "boolean",

+      "description": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system.  If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."

+     },

      "users": {

       "type": "array",

       "items": {

@@ -21,6 +21,7 @@

   "unused": true,

   "globals": {

     "angular": false,

+    "ansi_up": false,

     "c3": false,

     "d3": false,

     "hawtioPluginLoader": false,

@@ -37,7 +37,23 @@

     <div ng-view></div>

-    <noscript class="attention-message"><h1>To use OpenShift, please enable JavaScript.</h1></noscript>

+    <noscript>

+      <nav class="navbar navbar-pf-alt" role="navigation">

+        <div row>

+          <div class="navbar-header">

+            <a class="navbar-brand" id="openshift-logo" href="./">

+              <div id="header-logo"></div>

+            </a>

+          </div>

+        </div>

+      </nav>

+      <div class="attention-message">

+        <h1>JavaScript Required</h1>

+        <p>The OpenShift web console requires JavaScript to provide a rich interactive experience. Please

+        enable JavaScript to continue. If you do not wish to enable JavaScript or are unable to do so,

+        you may use the command-line tools to manage your projects and applications instead.</p>

+      </div>

+    </noscript>

     <script src="config.js"></script>

@@ -100,6 +116,7 @@

     <script src="bower_components/yamljs/bin/yaml.js"></script>

     <script src="bower_components/clipboard/dist/clipboard.js"></script>

     <script src="bower_components/pathseg/pathseg.js"></script>

+    <script src="bower_components/ansi_up/ansi_up.js"></script>

     <!-- endbower -->

     <!-- endbuild -->

@@ -5,7 +5,8 @@ angular.module('openshiftConsole')

     return {

       restrict: 'E',

       scope: {

-        alerts: '='

+        alerts: '=',

+        hideCloseButton: '=?'

       },

       templateUrl: 'views/_alerts.html'

     };

@@ -27,7 +27,12 @@ angular.module('openshiftConsole')

         // this webkit bug with user-select: none;

         //   https://bugs.webkit.org/show_bug.cgi?id=80159

         line.firstChild.setAttribute('data-line-number', lineNumber);

-        line.lastChild.appendChild(document.createTextNode(text));

+

+        // Escape ANSI color codes

+        var escaped = ansi_up.escape_for_html(text);

+        var html = ansi_up.ansi_to_html(escaped);

+        var linkifiedHTML = ansi_up.linkify(html);

+        line.lastChild.innerHTML = linkifiedHTML;

         return line;

       };

@@ -55,8 +55,13 @@ angular.module('openshiftConsole')

           $scope.width = 175;

         }

-        // https://github.com/mbostock/d3/wiki/Formatting

-        var percentage = d3.format(".2p");

+        var percentage = function(value) {

+          if (!value) {

+            return "0%";

+          }

+

+          return (Number(value) * 100).toFixed(1) + "%";

+        };

         // Chart configuration, see http://c3js.org/reference.html

         $scope.chartID = _.uniqueId('quota-usage-chart-');

@@ -790,8 +790,10 @@ angular.module('openshiftConsole')

       var nameFormatMap = {

         'configmaps': 'Config Maps',

+        'cpu': 'CPU (Request)',

         'limits.cpu': 'CPU (Limit)',

         'limits.memory': 'Memory (Limit)',

+        'memory': 'Memory (Request)',

         'openshift.io/imagesize': 'Image Size',

         'openshift.io/imagestreamsize': 'Image Stream Size',

         'openshift.io/projectimagessize': 'Project Image Size',

@@ -44,7 +44,7 @@ angular.module('openshiftConsole')

                                   description = 'The project ' + context.projectName + ' does not exist or you are not authorized to view it.';

                                   type = 'access_denied';

                                 } else if (e.status === 404) {

-                                  description = 'The project " + context.projectName + " does not exist.';

+                                  description = 'The project ' + context.projectName + ' does not exist.';

                                   type = 'not_found';

                                 }

                                 $location

@@ -720,17 +720,21 @@ select:invalid {

 }

 .attention-message {

-  background-color: lighten(@brand-primary, 20%);

+  background-color: lighten(@brand-primary, 50%);

   border: 1px solid darken(@brand-primary, 10%);

   position: absolute;

-  top: 20%;

   left: 50%;

-  transform: translate(-50%, -50%);

+  margin-top: 100px;

+  transform: translateX(-50%);

   padding: 1em 1em 2em;

   min-width: 85%;

   h1,p {

     text-align: center;

   }

+  p {

+    max-width: 70em;

+    margin: auto;

+  }

 }

 .learn-more-block {

@@ -5,7 +5,7 @@

     'alert-success': alert.type === 'success',

     'alert-info': !alert.type || alert.type === 'info'

   }">

-    <button ng-click="alert.hidden = true" type="button" class="close">

+    <button ng-if="!hideCloseButton" ng-click="alert.hidden = true" type="button" class="close">

       <span class="pficon pficon-close" aria-hidden="true"></span>

       <span class="sr-only">Close</span>

     </button>

@@ -24,7 +24,8 @@

             </a>

           </div>

           <div ng-show="!task.hasErrors || expanded">

-            <alerts alerts="task.alerts"></alerts>

+            <!-- Don't show a close button for each alert since we have one above for all tasks. -->

+            <alerts alerts="task.alerts" hide-close-button="true"></alerts>

           </div>

       </div>

     </div>

@@ -1,5 +1,8 @@

 <default-header class="top-header"></default-header>

 <div class="wrap no-sidebar">

+  <div class="sidebar-left collapse navbar-collapse navbar-collapse-2">

+    <navbar-utility-mobile></navbar-utility-mobile>

+  </div>

   <div class="middle surface-shaded">

     <div class="container surface-shaded">

       <div>

@@ -36,7 +36,8 @@

     "yamljs": "0.1.5",

     "clipboard": "1.5.8",

     "pathseg": "1.0.2",

-    "fontawesome": "4.5.0"

+    "fontawesome": "4.5.0",

+    "ansi_up": "1.3.0"

   },

   "devDependencies": {

     "angular-mocks": "1.3.8",

@@ -8,7 +8,7 @@ After=openvswitch.service

 [Service]

 EnvironmentFile=/etc/sysconfig/origin-node

 ExecStartPre=-/usr/bin/docker rm -f origin-node

-ExecStart=/usr/bin/docker run --name origin-node --rm --privileged --net=host --pid=host --env-file=/etc/sysconfig/origin-node -v /:/rootfs:ro -v /etc/systemd/system:/host-etc/systemd/system -v /etc/localtime:/etc/localtime:ro -v /etc/machine-id:/etc/machine-id:ro -v /lib/modules:/lib/modules -v /run:/run -v /sys:/sys:ro -v /usr/bin/docker:/usr/bin/docker:ro -v /var/lib/docker:/var/lib/docker -v /etc/origin/node:/etc/origin/node -v /etc/origin/openvswitch:/etc/openvswitch -v /etc/origin/sdn:/etc/openshift-sdn -v /var/lib/origin:/var/lib/origin -v /var/log:/var/log -e HOST=/rootfs -e HOST_ETC=/host-etc openshift/node

+ExecStart=/usr/bin/docker run --name origin-node --rm --privileged --net=host --pid=host --env-file=/etc/sysconfig/origin-node -v /:/rootfs:ro -v /etc/systemd/system:/host-etc/systemd/system -v /etc/localtime:/etc/localtime:ro -v /etc/machine-id:/etc/machine-id:ro -v /lib/modules:/lib/modules -v /run:/run -v /sys:/sys:ro -v /usr/bin/docker:/usr/bin/docker:ro -v /var/lib/docker:/var/lib/docker -v /etc/origin/node:/etc/origin/node -v /etc/origin/openvswitch:/etc/openvswitch -v /etc/origin/sdn:/etc/openshift-sdn -v /var/lib/origin:/var/lib/origin -v /var/log:/var/log -v /dev:/dev -e HOST=/rootfs -e HOST_ETC=/host-etc openshift/node

 ExecStartPost=/usr/bin/sleep 10

 ExecStop=/usr/bin/docker stop origin-node

 Restart=always

new file mode 100644

@@ -0,0 +1,40 @@

+FROM openshift/origin

+MAINTAINER Aaron Weitekamp <aweiteka@redhat.com>

+

+ADD install.sh run.sh uninstall.sh /container/bin/

+ADD registry-console-template.yaml \

+    registry-login-template.html \

+    registry-newproject-template-shared.json \

+    registry-newproject-template-unshared.json \

+    /container/etc/origin/