Documentation ¶
Index ¶
- Constants
- Variables
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- type AllowedCSIDriver
- type AllowedFlexVolume
- type AllowedHostPath
- type Eviction
- type FSGroupStrategyOptions
- type FSGroupStrategyType
- type FSType
- type HostPortRange
- type IDRange
- type PodDisruptionBudget
- type PodDisruptionBudgetList
- type PodDisruptionBudgetSpec
- type PodDisruptionBudgetStatus
- type PodSecurityPolicy
- type PodSecurityPolicyList
- type PodSecurityPolicySpec
- type RunAsGroupStrategy
- type RunAsGroupStrategyOptions
- type RunAsUserStrategy
- type RunAsUserStrategyOptions
- type RuntimeClassStrategyOptions
- type SELinuxStrategy
- type SELinuxStrategyOptions
- type SupplementalGroupsStrategyOptions
- type SupplementalGroupsStrategyType
Constants ¶
const AllowAllRuntimeClassNames = "*"
AllowAllRuntimeClassNames can be used as a value for the RuntimeClassStrategyOptions.allowedRuntimeClassNames field and means that any runtimeClassName is allowed.
const GroupName = "policy"
GroupName is the group name use in this package
Variables ¶
var ( SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
var AllowAllCapabilities api.Capability = "*"
AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities field and means that any capabilities are allowed to be requested.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Kind ¶
Kind takes an unqualified kind and returns a Group qualified GroupKind
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AllowedCSIDriver ¶
type AllowedCSIDriver struct { // Name is the registered name of the CSI driver Name string }
AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.
func (*AllowedCSIDriver) DeepCopy ¶
func (in *AllowedCSIDriver) DeepCopy() *AllowedCSIDriver
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedCSIDriver.
func (*AllowedCSIDriver) DeepCopyInto ¶
func (in *AllowedCSIDriver) DeepCopyInto(out *AllowedCSIDriver)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AllowedFlexVolume ¶
type AllowedFlexVolume struct { // Driver is the name of the Flexvolume driver. Driver string }
AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
func (*AllowedFlexVolume) DeepCopy ¶
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
func (*AllowedFlexVolume) DeepCopyInto ¶
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AllowedHostPath ¶
type AllowedHostPath struct { // PathPrefix is the path prefix that the host volume must match. // PathPrefix does not support `*`. // Trailing slashes are trimmed when validating the path prefix with a host path. // // Examples: // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` // `/foo` would not allow `/food` or `/etc/foo` PathPrefix string // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly. ReadOnly bool }
AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.
func (*AllowedHostPath) DeepCopy ¶
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
func (*AllowedHostPath) DeepCopyInto ¶
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Eviction ¶
type Eviction struct { metav1.TypeMeta // ObjectMeta describes the pod that is being evicted. // +optional metav1.ObjectMeta // DeleteOptions may be provided // +optional DeleteOptions *metav1.DeleteOptions }
Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/eviction.
func (*Eviction) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eviction.
func (*Eviction) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FSGroupStrategyOptions ¶
type FSGroupStrategyOptions struct { // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext. // +optional Rule FSGroupStrategyType // Ranges are the allowed ranges of fs groups. If you would like to force a single // fs group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange }
FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
func (*FSGroupStrategyOptions) DeepCopy ¶
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
func (*FSGroupStrategyOptions) DeepCopyInto ¶
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FSGroupStrategyType ¶
type FSGroupStrategyType string
FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext
const ( // FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied. // However, when FSGroups are specified, they have to fall in the defined range. FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs" // FSGroupStrategyMustRunAs means that container must have FSGroup of X applied. FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" )
type FSType ¶
type FSType string
FSType gives strong typing to different file systems that are used by volumes.
var ( AzureFile FSType = "azureFile" Flocker FSType = "flocker" FlexVolume FSType = "flexVolume" HostPath FSType = "hostPath" EmptyDir FSType = "emptyDir" GCEPersistentDisk FSType = "gcePersistentDisk" AWSElasticBlockStore FSType = "awsElasticBlockStore" GitRepo FSType = "gitRepo" Secret FSType = "secret" NFS FSType = "nfs" ISCSI FSType = "iscsi" Glusterfs FSType = "glusterfs" PersistentVolumeClaim FSType = "persistentVolumeClaim" RBD FSType = "rbd" Cinder FSType = "cinder" CephFS FSType = "cephFS" DownwardAPI FSType = "downwardAPI" FC FSType = "fc" ConfigMap FSType = "configMap" VsphereVolume FSType = "vsphereVolume" Quobyte FSType = "quobyte" AzureDisk FSType = "azureDisk" PhotonPersistentDisk FSType = "photonPersistentDisk" StorageOS FSType = "storageos" Projected FSType = "projected" PortworxVolume FSType = "portworxVolume" ScaleIO FSType = "scaleIO" CSI FSType = "csi" All FSType = "*" )
type HostPortRange ¶
type HostPortRange struct { // Min is the start of the range, inclusive. Min int32 // Max is the end of the range, inclusive. Max int32 }
HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.
func (*HostPortRange) DeepCopy ¶
func (in *HostPortRange) DeepCopy() *HostPortRange
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
func (*HostPortRange) DeepCopyInto ¶
func (in *HostPortRange) DeepCopyInto(out *HostPortRange)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IDRange ¶
type IDRange struct { // Min is the start of the range, inclusive. Min int64 // Max is the end of the range, inclusive. Max int64 }
IDRange provides a min/max of an allowed range of IDs.
func (*IDRange) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.
type PodDisruptionBudget ¶
type PodDisruptionBudget struct { metav1.TypeMeta // +optional metav1.ObjectMeta // Specification of the desired behavior of the PodDisruptionBudget. // +optional Spec PodDisruptionBudgetSpec // Most recently observed status of the PodDisruptionBudget. // +optional Status PodDisruptionBudgetStatus }
PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
func (*PodDisruptionBudget) DeepCopy ¶
func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget.
func (*PodDisruptionBudget) DeepCopyInto ¶
func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodDisruptionBudget) DeepCopyObject ¶
func (in *PodDisruptionBudget) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodDisruptionBudgetList ¶
type PodDisruptionBudgetList struct { metav1.TypeMeta // +optional metav1.ListMeta Items []PodDisruptionBudget }
PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
func (*PodDisruptionBudgetList) DeepCopy ¶
func (in *PodDisruptionBudgetList) DeepCopy() *PodDisruptionBudgetList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetList.
func (*PodDisruptionBudgetList) DeepCopyInto ¶
func (in *PodDisruptionBudgetList) DeepCopyInto(out *PodDisruptionBudgetList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodDisruptionBudgetList) DeepCopyObject ¶
func (in *PodDisruptionBudgetList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodDisruptionBudgetSpec ¶
type PodDisruptionBudgetSpec struct { // An eviction is allowed if at least "minAvailable" pods selected by // "selector" will still be available after the eviction, i.e. even in the // absence of the evicted pod. So for example you can prevent all voluntary // evictions by specifying "100%". // +optional MinAvailable *intstr.IntOrString // Label query over pods whose evictions are managed by the disruption // budget. // +optional Selector *metav1.LabelSelector // "selector" are unavailable after the eviction, i.e. even in absence of // the evicted pod. For example, one can prevent all voluntary evictions // by specifying 0. This is a mutually exclusive setting with "minAvailable". // +optional MaxUnavailable *intstr.IntOrString }
PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
func (*PodDisruptionBudgetSpec) DeepCopy ¶
func (in *PodDisruptionBudgetSpec) DeepCopy() *PodDisruptionBudgetSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetSpec.
func (*PodDisruptionBudgetSpec) DeepCopyInto ¶
func (in *PodDisruptionBudgetSpec) DeepCopyInto(out *PodDisruptionBudgetSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodDisruptionBudgetStatus ¶
type PodDisruptionBudgetStatus struct { // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other // status informatio is valid only if observedGeneration equals to PDB's object generation. // +optional ObservedGeneration int64 // DisruptedPods contains information about pods whose eviction was // processed by the API server eviction subresource handler but has not // yet been observed by the PodDisruptionBudget controller. // A pod will be in this map from the time when the API server processed the // eviction request to the time when the pod is seen by PDB controller // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod // and the value is the time when the API server processed the eviction request. If // the deletion didn't occur and a pod is still there it will be removed from // the list automatically by PodDisruptionBudget controller after some time. // If everything goes smooth this map should be empty for the most of the time. // Large number of entries in the map may indicate problems with pod deletions. // +optional DisruptedPods map[string]metav1.Time // Number of pod disruptions that are currently allowed. PodDisruptionsAllowed int32 // current number of healthy pods CurrentHealthy int32 // minimum desired number of healthy pods DesiredHealthy int32 // total number of pods counted by this disruption budget ExpectedPods int32 }
PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.
func (*PodDisruptionBudgetStatus) DeepCopy ¶
func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetStatus.
func (*PodDisruptionBudgetStatus) DeepCopyInto ¶
func (in *PodDisruptionBudgetStatus) DeepCopyInto(out *PodDisruptionBudgetStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicy ¶
type PodSecurityPolicy struct { metav1.TypeMeta // +optional metav1.ObjectMeta // Spec defines the policy enforced. // +optional Spec PodSecurityPolicySpec }
PodSecurityPolicy governs the ability to make requests that affect the SecurityContext that will be applied to a pod and container.
func (*PodSecurityPolicy) DeepCopy ¶
func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
func (*PodSecurityPolicy) DeepCopyInto ¶
func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicy) DeepCopyObject ¶
func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicyList ¶
type PodSecurityPolicyList struct { metav1.TypeMeta // +optional metav1.ListMeta Items []PodSecurityPolicy }
PodSecurityPolicyList is a list of PodSecurityPolicy objects.
func (*PodSecurityPolicyList) DeepCopy ¶
func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
func (*PodSecurityPolicyList) DeepCopyInto ¶
func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicyList) DeepCopyObject ¶
func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicySpec ¶
type PodSecurityPolicySpec struct { // Privileged determines if a pod can request to be run as privileged. // +optional Privileged bool // DefaultAddCapabilities is the default set of capabilities that will be added to the container // unless the pod spec specifically drops the capability. You may not list a capability in both // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly // allowed, and need not be included in the AllowedCapabilities list. // +optional DefaultAddCapabilities []api.Capability // RequiredDropCapabilities are the capabilities that will be dropped from the container. These // are required to be dropped and cannot be added. // +optional RequiredDropCapabilities []api.Capability // AllowedCapabilities is a list of capabilities that can be requested to add to the container. // Capabilities in this field may be added at the pod author's discretion. // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. // To allow all capabilities you may use '*'. // +optional AllowedCapabilities []api.Capability // Volumes is a white list of allowed volume plugins. Empty indicates that // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType // HostNetwork determines if the policy allows the use of HostNetwork in the pod spec. // +optional HostNetwork bool // HostPorts determines which host port ranges are allowed to be exposed. // +optional HostPorts []HostPortRange // HostPID determines if the policy allows the use of HostPID in the pod spec. // +optional HostPID bool // HostIPC determines if the policy allows the use of HostIPC in the pod spec. // +optional HostIPC bool // SELinux is the strategy that will dictate the allowable labels that may be set. SELinux SELinuxStrategyOptions // RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. RunAsUser RunAsUserStrategyOptions // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. // If this field is omitted, the pod's RunAsGroup can take any value. This field requires the // RunAsGroup feature gate to be enabled. RunAsGroup *RunAsGroupStrategyOptions // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. SupplementalGroups SupplementalGroupsStrategyOptions // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. FSGroup FSGroupStrategyOptions // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the PSP should deny the pod. // If set to false the container may run with a read only root file system if it wishes but it // will not be forced to. // +optional ReadOnlyRootFilesystem bool // DefaultAllowPrivilegeEscalation controls the default setting for whether a // process can gain more privileges than its parent process. // +optional DefaultAllowPrivilegeEscalation *bool // AllowPrivilegeEscalation determines if a pod can request to allow // privilege escalation. If unspecified, defaults to true. // +optional AllowPrivilegeEscalation bool // AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used. // +optional AllowedHostPaths []AllowedHostPath // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "Volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. // This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate. // +optional AllowedCSIDrivers []AllowedCSIDriver // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. // +optional AllowedUnsafeSysctls []string // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. // // Examples: // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // +optional ForbiddenSysctls []string // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. // Empty or nil indicates that only the DefaultProcMountType may be used. // +optional AllowedProcMountTypes []api.ProcMountType // runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. // If this field is omitted, the pod's runtimeClassName field is unrestricted. // Enforcement of this field depends on the RuntimeClass feature gate being enabled. // +optional RuntimeClass *RuntimeClassStrategyOptions }
PodSecurityPolicySpec defines the policy enforced.
func (*PodSecurityPolicySpec) DeepCopy ¶
func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
func (*PodSecurityPolicySpec) DeepCopyInto ¶
func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RunAsGroupStrategy ¶
type RunAsGroupStrategy string
RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a SecurityContext.
const ( // RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid. // However, when RunAsGroup are specified, they have to fall in the defined range. RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs" // RunAsGroupStrategyMustRunAs means that container must run as a particular gid. RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs" // RunAsGroupStrategyRunAsAny means that container may make requests for any gid. RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny" )
type RunAsGroupStrategyOptions ¶
type RunAsGroupStrategyOptions struct { // Rule is the strategy that will dictate the allowable RunAsGroup values that may be set. Rule RunAsGroupStrategy // Ranges are the allowed ranges of gids that may be used. If you would like to force a single gid // then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange }
RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.
func (*RunAsGroupStrategyOptions) DeepCopy ¶
func (in *RunAsGroupStrategyOptions) DeepCopy() *RunAsGroupStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions.
func (*RunAsGroupStrategyOptions) DeepCopyInto ¶
func (in *RunAsGroupStrategyOptions) DeepCopyInto(out *RunAsGroupStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RunAsUserStrategy ¶
type RunAsUserStrategy string
RunAsUserStrategy denotes strategy types for generating RunAsUser values for a SecurityContext.
const ( // RunAsUserStrategyMustRunAs means that container must run as a particular uid. RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" // RunAsUserStrategyRunAsAny means that container may make requests for any uid. RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" )
type RunAsUserStrategyOptions ¶
type RunAsUserStrategyOptions struct { // Rule is the strategy that will dictate the allowable RunAsUser values that may be set. Rule RunAsUserStrategy // Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid // then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange }
RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
func (*RunAsUserStrategyOptions) DeepCopy ¶
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
func (*RunAsUserStrategyOptions) DeepCopyInto ¶
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuntimeClassStrategyOptions ¶
type RuntimeClassStrategyOptions struct { // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the // list. An empty list requires the RuntimeClassName field to be unset. AllowedRuntimeClassNames []string // defaultRuntimeClassName is the default RuntimeClassName to set on the pod. // The default MUST be allowed by the allowedRuntimeClassNames list. // A value of nil does not mutate the Pod. // +optional DefaultRuntimeClassName *string }
RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.
func (*RuntimeClassStrategyOptions) DeepCopy ¶
func (in *RuntimeClassStrategyOptions) DeepCopy() *RuntimeClassStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeClassStrategyOptions.
func (*RuntimeClassStrategyOptions) DeepCopyInto ¶
func (in *RuntimeClassStrategyOptions) DeepCopyInto(out *RuntimeClassStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SELinuxStrategy ¶
type SELinuxStrategy string
SELinuxStrategy denotes strategy types for generating SELinux options for a Security.
const ( // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" )
type SELinuxStrategyOptions ¶
type SELinuxStrategyOptions struct { // Rule is the strategy that will dictate the allowable labels that may be set. Rule SELinuxStrategy // SELinuxOptions required to run as; required for MustRunAs // More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux // +optional SELinuxOptions *api.SELinuxOptions }
SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
func (*SELinuxStrategyOptions) DeepCopy ¶
func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
func (*SELinuxStrategyOptions) DeepCopyInto ¶
func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SupplementalGroupsStrategyOptions ¶
type SupplementalGroupsStrategyOptions struct { // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. // +optional Rule SupplementalGroupsStrategyType // Ranges are the allowed ranges of supplemental groups. If you would like to force a single // supplemental group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange }
SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
func (*SupplementalGroupsStrategyOptions) DeepCopy ¶
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
func (*SupplementalGroupsStrategyOptions) DeepCopyInto ¶
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SupplementalGroupsStrategyType ¶
type SupplementalGroupsStrategyType string
SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.
const ( // SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid. // However, when gids are specified, they have to fall in the defined range. SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs" // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" )
Directories ¶
Path | Synopsis |
---|---|
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
|
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery. |
Package policy is for any kind of policy object.
|
Package policy is for any kind of policy object. |