Documentation

Index

Constants

View Source
const GroupName = "policy"

    GroupName is the group name use in this package

    Variables

    View Source
    var (
    	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
    	AddToScheme   = SchemeBuilder.AddToScheme
    )
    View Source
    var AllowAllCapabilities api.Capability = "*"

      AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities field and means that any capabilities are allowed to be requested.

      View Source
      var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

        SchemeGroupVersion is group version used to register these objects

        Functions

        func Kind

        func Kind(kind string) schema.GroupKind

          Kind takes an unqualified kind and returns a Group qualified GroupKind

          func Resource

          func Resource(resource string) schema.GroupResource

            Resource takes an unqualified resource and returns a Group qualified GroupResource

            Types

            type AllowedCSIDriver

            type AllowedCSIDriver struct {
            	// Name is the registered name of the CSI driver
            	Name string
            }

              AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.

              func (*AllowedCSIDriver) DeepCopy

              func (in *AllowedCSIDriver) DeepCopy() *AllowedCSIDriver

                DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedCSIDriver.

                func (*AllowedCSIDriver) DeepCopyInto

                func (in *AllowedCSIDriver) DeepCopyInto(out *AllowedCSIDriver)

                  DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                  type AllowedFlexVolume

                  type AllowedFlexVolume struct {
                  	// Driver is the name of the Flexvolume driver.
                  	Driver string
                  }

                    AllowedFlexVolume represents a single Flexvolume that is allowed to be used.

                    func (*AllowedFlexVolume) DeepCopy

                    func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume

                      DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.

                      func (*AllowedFlexVolume) DeepCopyInto

                      func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)

                        DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                        type AllowedHostPath

                        type AllowedHostPath struct {
                        	// PathPrefix is the path prefix that the host volume must match.
                        	// PathPrefix does not support `*`.
                        	// Trailing slashes are trimmed when validating the path prefix with a host path.
                        	//
                        	// Examples:
                        	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
                        	// `/foo` would not allow `/food` or `/etc/foo`
                        	PathPrefix string
                        
                        	// when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
                        	ReadOnly bool
                        }

                          AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.

                          func (*AllowedHostPath) DeepCopy

                          func (in *AllowedHostPath) DeepCopy() *AllowedHostPath

                            DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.

                            func (*AllowedHostPath) DeepCopyInto

                            func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath)

                              DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                              type Eviction

                              type Eviction struct {
                              	metav1.TypeMeta
                              
                              	// ObjectMeta describes the pod that is being evicted.
                              	// +optional
                              	metav1.ObjectMeta
                              
                              	// DeleteOptions may be provided
                              	// +optional
                              	DeleteOptions *metav1.DeleteOptions
                              }

                                Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/eviction.

                                func (*Eviction) DeepCopy

                                func (in *Eviction) DeepCopy() *Eviction

                                  DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eviction.

                                  func (*Eviction) DeepCopyInto

                                  func (in *Eviction) DeepCopyInto(out *Eviction)

                                    DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                    func (*Eviction) DeepCopyObject

                                    func (in *Eviction) DeepCopyObject() runtime.Object

                                      DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

                                      type FSGroupStrategyOptions

                                      type FSGroupStrategyOptions struct {
                                      	// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
                                      	// +optional
                                      	Rule FSGroupStrategyType
                                      	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
                                      	// fs group then supply a single range with the same start and end. Required for MustRunAs.
                                      	// +optional
                                      	Ranges []IDRange
                                      }

                                        FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

                                        func (*FSGroupStrategyOptions) DeepCopy

                                          DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.

                                          func (*FSGroupStrategyOptions) DeepCopyInto

                                          func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)

                                            DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                            type FSGroupStrategyType

                                            type FSGroupStrategyType string

                                              FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext

                                              const (
                                              	// FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied.
                                              	// However, when FSGroups are specified, they have to fall in the defined range.
                                              	FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs"
                                              	// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
                                              	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
                                              	// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
                                              	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
                                              )

                                              type FSType

                                              type FSType string

                                                FSType gives strong typing to different file systems that are used by volumes.

                                                var (
                                                	AzureFile             FSType = "azureFile"
                                                	Flocker               FSType = "flocker"
                                                	FlexVolume            FSType = "flexVolume"
                                                	HostPath              FSType = "hostPath"
                                                	EmptyDir              FSType = "emptyDir"
                                                	GCEPersistentDisk     FSType = "gcePersistentDisk"
                                                	AWSElasticBlockStore  FSType = "awsElasticBlockStore"
                                                	GitRepo               FSType = "gitRepo"
                                                	Secret                FSType = "secret"
                                                	NFS                   FSType = "nfs"
                                                	ISCSI                 FSType = "iscsi"
                                                	Glusterfs             FSType = "glusterfs"
                                                	PersistentVolumeClaim FSType = "persistentVolumeClaim"
                                                	RBD                   FSType = "rbd"
                                                	Cinder                FSType = "cinder"
                                                	CephFS                FSType = "cephFS"
                                                	DownwardAPI           FSType = "downwardAPI"
                                                	FC                    FSType = "fc"
                                                	ConfigMap             FSType = "configMap"
                                                	VsphereVolume         FSType = "vsphereVolume"
                                                	Quobyte               FSType = "quobyte"
                                                	AzureDisk             FSType = "azureDisk"
                                                	PhotonPersistentDisk  FSType = "photonPersistentDisk"
                                                	StorageOS             FSType = "storageos"
                                                	Projected             FSType = "projected"
                                                	PortworxVolume        FSType = "portworxVolume"
                                                	ScaleIO               FSType = "scaleIO"
                                                	CSI                   FSType = "csi"
                                                	All                   FSType = "*"
                                                )

                                                type HostPortRange

                                                type HostPortRange struct {
                                                	// Min is the start of the range, inclusive.
                                                	Min int32
                                                	// Max is the end of the range, inclusive.
                                                	Max int32
                                                }

                                                  HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.

                                                  func (*HostPortRange) DeepCopy

                                                  func (in *HostPortRange) DeepCopy() *HostPortRange

                                                    DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.

                                                    func (*HostPortRange) DeepCopyInto

                                                    func (in *HostPortRange) DeepCopyInto(out *HostPortRange)

                                                      DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                      type IDRange

                                                      type IDRange struct {
                                                      	// Min is the start of the range, inclusive.
                                                      	Min int64
                                                      	// Max is the end of the range, inclusive.
                                                      	Max int64
                                                      }

                                                        IDRange provides a min/max of an allowed range of IDs.

                                                        func (*IDRange) DeepCopy

                                                        func (in *IDRange) DeepCopy() *IDRange

                                                          DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.

                                                          func (*IDRange) DeepCopyInto

                                                          func (in *IDRange) DeepCopyInto(out *IDRange)

                                                            DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                            type PodDisruptionBudget

                                                            type PodDisruptionBudget struct {
                                                            	metav1.TypeMeta
                                                            	// +optional
                                                            	metav1.ObjectMeta
                                                            
                                                            	// Specification of the desired behavior of the PodDisruptionBudget.
                                                            	// +optional
                                                            	Spec PodDisruptionBudgetSpec
                                                            	// Most recently observed status of the PodDisruptionBudget.
                                                            	// +optional
                                                            	Status PodDisruptionBudgetStatus
                                                            }

                                                              PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods

                                                              func (*PodDisruptionBudget) DeepCopy

                                                              func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget

                                                                DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget.

                                                                func (*PodDisruptionBudget) DeepCopyInto

                                                                func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget)

                                                                  DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                  func (*PodDisruptionBudget) DeepCopyObject

                                                                  func (in *PodDisruptionBudget) DeepCopyObject() runtime.Object

                                                                    DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

                                                                    type PodDisruptionBudgetList

                                                                    type PodDisruptionBudgetList struct {
                                                                    	metav1.TypeMeta
                                                                    	// +optional
                                                                    	metav1.ListMeta
                                                                    	Items []PodDisruptionBudget
                                                                    }

                                                                      PodDisruptionBudgetList is a collection of PodDisruptionBudgets.

                                                                      func (*PodDisruptionBudgetList) DeepCopy

                                                                        DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetList.

                                                                        func (*PodDisruptionBudgetList) DeepCopyInto

                                                                        func (in *PodDisruptionBudgetList) DeepCopyInto(out *PodDisruptionBudgetList)

                                                                          DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                          func (*PodDisruptionBudgetList) DeepCopyObject

                                                                          func (in *PodDisruptionBudgetList) DeepCopyObject() runtime.Object

                                                                            DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

                                                                            type PodDisruptionBudgetSpec

                                                                            type PodDisruptionBudgetSpec struct {
                                                                            	// An eviction is allowed if at least "minAvailable" pods selected by
                                                                            	// "selector" will still be available after the eviction, i.e. even in the
                                                                            	// absence of the evicted pod.  So for example you can prevent all voluntary
                                                                            	// evictions by specifying "100%".
                                                                            	// +optional
                                                                            	MinAvailable *intstr.IntOrString
                                                                            
                                                                            	// Label query over pods whose evictions are managed by the disruption
                                                                            	// budget.
                                                                            	// +optional
                                                                            	Selector *metav1.LabelSelector
                                                                            
                                                                            	// An eviction is allowed if at most "maxUnavailable" pods selected by
                                                                            	// "selector" are unavailable after the eviction, i.e. even in absence of
                                                                            	// the evicted pod. For example, one can prevent all voluntary evictions
                                                                            	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
                                                                            	// +optional
                                                                            	MaxUnavailable *intstr.IntOrString
                                                                            }

                                                                              PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.

                                                                              func (*PodDisruptionBudgetSpec) DeepCopy

                                                                                DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetSpec.

                                                                                func (*PodDisruptionBudgetSpec) DeepCopyInto

                                                                                func (in *PodDisruptionBudgetSpec) DeepCopyInto(out *PodDisruptionBudgetSpec)

                                                                                  DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                  type PodDisruptionBudgetStatus

                                                                                  type PodDisruptionBudgetStatus struct {
                                                                                  	// Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
                                                                                  	// status informatio is valid only if observedGeneration equals to PDB's object generation.
                                                                                  	// +optional
                                                                                  	ObservedGeneration int64
                                                                                  
                                                                                  	// DisruptedPods contains information about pods whose eviction was
                                                                                  	// processed by the API server eviction subresource handler but has not
                                                                                  	// yet been observed by the PodDisruptionBudget controller.
                                                                                  	// A pod will be in this map from the time when the API server processed the
                                                                                  	// eviction request to the time when the pod is seen by PDB controller
                                                                                  	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
                                                                                  	// and the value is the time when the API server processed the eviction request. If
                                                                                  	// the deletion didn't occur and a pod is still there it will be removed from
                                                                                  	// the list automatically by PodDisruptionBudget controller after some time.
                                                                                  	// If everything goes smooth this map should be empty for the most of the time.
                                                                                  	// Large number of entries in the map may indicate problems with pod deletions.
                                                                                  	// +optional
                                                                                  	DisruptedPods map[string]metav1.Time
                                                                                  
                                                                                  	// Number of pod disruptions that are currently allowed.
                                                                                  	PodDisruptionsAllowed int32
                                                                                  
                                                                                  	// current number of healthy pods
                                                                                  	CurrentHealthy int32
                                                                                  
                                                                                  	// minimum desired number of healthy pods
                                                                                  	DesiredHealthy int32
                                                                                  
                                                                                  	// total number of pods counted by this disruption budget
                                                                                  	ExpectedPods int32
                                                                                  }

                                                                                    PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.

                                                                                    func (*PodDisruptionBudgetStatus) DeepCopy

                                                                                      DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetStatus.

                                                                                      func (*PodDisruptionBudgetStatus) DeepCopyInto

                                                                                        DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                        type PodSecurityPolicy

                                                                                        type PodSecurityPolicy struct {
                                                                                        	metav1.TypeMeta
                                                                                        	// +optional
                                                                                        	metav1.ObjectMeta
                                                                                        
                                                                                        	// Spec defines the policy enforced.
                                                                                        	// +optional
                                                                                        	Spec PodSecurityPolicySpec
                                                                                        }

                                                                                          PodSecurityPolicy governs the ability to make requests that affect the SecurityContext that will be applied to a pod and container.

                                                                                          func (*PodSecurityPolicy) DeepCopy

                                                                                          func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy

                                                                                            DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.

                                                                                            func (*PodSecurityPolicy) DeepCopyInto

                                                                                            func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy)

                                                                                              DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                              func (*PodSecurityPolicy) DeepCopyObject

                                                                                              func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object

                                                                                                DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

                                                                                                type PodSecurityPolicyList

                                                                                                type PodSecurityPolicyList struct {
                                                                                                	metav1.TypeMeta
                                                                                                	// +optional
                                                                                                	metav1.ListMeta
                                                                                                
                                                                                                	Items []PodSecurityPolicy
                                                                                                }

                                                                                                  PodSecurityPolicyList is a list of PodSecurityPolicy objects.

                                                                                                  func (*PodSecurityPolicyList) DeepCopy

                                                                                                    DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.

                                                                                                    func (*PodSecurityPolicyList) DeepCopyInto

                                                                                                    func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList)

                                                                                                      DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                                      func (*PodSecurityPolicyList) DeepCopyObject

                                                                                                      func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object

                                                                                                        DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

                                                                                                        type PodSecurityPolicySpec

                                                                                                        type PodSecurityPolicySpec struct {
                                                                                                        	// Privileged determines if a pod can request to be run as privileged.
                                                                                                        	// +optional
                                                                                                        	Privileged bool
                                                                                                        	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
                                                                                                        	// unless the pod spec specifically drops the capability.  You may not list a capability in both
                                                                                                        	// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
                                                                                                        	// allowed, and need not be included in the AllowedCapabilities list.
                                                                                                        	// +optional
                                                                                                        	DefaultAddCapabilities []api.Capability
                                                                                                        	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
                                                                                                        	// are required to be dropped and cannot be added.
                                                                                                        	// +optional
                                                                                                        	RequiredDropCapabilities []api.Capability
                                                                                                        	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
                                                                                                        	// Capabilities in this field may be added at the pod author's discretion.
                                                                                                        	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
                                                                                                        	// To allow all capabilities you may use '*'.
                                                                                                        	// +optional
                                                                                                        	AllowedCapabilities []api.Capability
                                                                                                        	// Volumes is a white list of allowed volume plugins. Empty indicates that
                                                                                                        	// no volumes may be used. To allow all volumes you may use '*'.
                                                                                                        	// +optional
                                                                                                        	Volumes []FSType
                                                                                                        	// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
                                                                                                        	// +optional
                                                                                                        	HostNetwork bool
                                                                                                        	// HostPorts determines which host port ranges are allowed to be exposed.
                                                                                                        	// +optional
                                                                                                        	HostPorts []HostPortRange
                                                                                                        	// HostPID determines if the policy allows the use of HostPID in the pod spec.
                                                                                                        	// +optional
                                                                                                        	HostPID bool
                                                                                                        	// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
                                                                                                        	// +optional
                                                                                                        	HostIPC bool
                                                                                                        	// SELinux is the strategy that will dictate the allowable labels that may be set.
                                                                                                        	SELinux SELinuxStrategyOptions
                                                                                                        	// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
                                                                                                        	RunAsUser RunAsUserStrategyOptions
                                                                                                        	// RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
                                                                                                        	// If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
                                                                                                        	// RunAsGroup feature gate to be enabled.
                                                                                                        	RunAsGroup *RunAsGroupStrategyOptions
                                                                                                        	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
                                                                                                        	SupplementalGroups SupplementalGroupsStrategyOptions
                                                                                                        	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
                                                                                                        	FSGroup FSGroupStrategyOptions
                                                                                                        	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
                                                                                                        	// system.  If the container specifically requests to run with a non-read only root file system
                                                                                                        	// the PSP should deny the pod.
                                                                                                        	// If set to false the container may run with a read only root file system if it wishes but it
                                                                                                        	// will not be forced to.
                                                                                                        	// +optional
                                                                                                        	ReadOnlyRootFilesystem bool
                                                                                                        	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
                                                                                                        	// process can gain more privileges than its parent process.
                                                                                                        	// +optional
                                                                                                        	DefaultAllowPrivilegeEscalation *bool
                                                                                                        	// AllowPrivilegeEscalation determines if a pod can request to allow
                                                                                                        	// privilege escalation. If unspecified, defaults to true.
                                                                                                        	// +optional
                                                                                                        	AllowPrivilegeEscalation bool
                                                                                                        	// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
                                                                                                        	// +optional
                                                                                                        	AllowedHostPaths []AllowedHostPath
                                                                                                        	// AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
                                                                                                        	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
                                                                                                        	// is allowed in the "Volumes" field.
                                                                                                        	// +optional
                                                                                                        	AllowedFlexVolumes []AllowedFlexVolume
                                                                                                        	// AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
                                                                                                        	// An empty value means no CSI drivers can run inline within a pod spec.
                                                                                                        	// +optional
                                                                                                        	AllowedCSIDrivers []AllowedCSIDriver
                                                                                                        	// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
                                                                                                        	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
                                                                                                        	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
                                                                                                        	// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
                                                                                                        	//
                                                                                                        	// Examples:
                                                                                                        	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
                                                                                                        	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
                                                                                                        	// +optional
                                                                                                        	AllowedUnsafeSysctls []string
                                                                                                        	// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
                                                                                                        	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
                                                                                                        	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
                                                                                                        	//
                                                                                                        	// Examples:
                                                                                                        	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
                                                                                                        	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
                                                                                                        	// +optional
                                                                                                        	ForbiddenSysctls []string
                                                                                                        	// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
                                                                                                        	// Empty or nil indicates that only the DefaultProcMountType may be used.
                                                                                                        	// +optional
                                                                                                        	AllowedProcMountTypes []api.ProcMountType
                                                                                                        }

                                                                                                          PodSecurityPolicySpec defines the policy enforced.

                                                                                                          func (*PodSecurityPolicySpec) DeepCopy

                                                                                                            DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.

                                                                                                            func (*PodSecurityPolicySpec) DeepCopyInto

                                                                                                            func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec)

                                                                                                              DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                                              type RunAsGroupStrategy

                                                                                                              type RunAsGroupStrategy string

                                                                                                                RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a SecurityContext.

                                                                                                                const (
                                                                                                                	// RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid.
                                                                                                                	// However, when RunAsGroup are specified, they have to fall in the defined range.
                                                                                                                	RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs"
                                                                                                                	// RunAsGroupStrategyMustRunAs means that container must run as a particular gid.
                                                                                                                	RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs"
                                                                                                                	// RunAsGroupStrategyRunAsAny means that container may make requests for any gid.
                                                                                                                	RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny"
                                                                                                                )

                                                                                                                type RunAsGroupStrategyOptions

                                                                                                                type RunAsGroupStrategyOptions struct {
                                                                                                                	// Rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
                                                                                                                	Rule RunAsGroupStrategy
                                                                                                                	// Ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
                                                                                                                	// then supply a single range with the same start and end. Required for MustRunAs.
                                                                                                                	// +optional
                                                                                                                	Ranges []IDRange
                                                                                                                }

                                                                                                                  RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.

                                                                                                                  func (*RunAsGroupStrategyOptions) DeepCopy

                                                                                                                    DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions.

                                                                                                                    func (*RunAsGroupStrategyOptions) DeepCopyInto

                                                                                                                      DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                                                      type RunAsUserStrategy

                                                                                                                      type RunAsUserStrategy string

                                                                                                                        RunAsUserStrategy denotes strategy types for generating RunAsUser values for a SecurityContext.

                                                                                                                        const (
                                                                                                                        	// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
                                                                                                                        	RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
                                                                                                                        	// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
                                                                                                                        	RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
                                                                                                                        	// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
                                                                                                                        	RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
                                                                                                                        )

                                                                                                                        type RunAsUserStrategyOptions

                                                                                                                        type RunAsUserStrategyOptions struct {
                                                                                                                        	// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
                                                                                                                        	Rule RunAsUserStrategy
                                                                                                                        	// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
                                                                                                                        	// then supply a single range with the same start and end. Required for MustRunAs.
                                                                                                                        	// +optional
                                                                                                                        	Ranges []IDRange
                                                                                                                        }

                                                                                                                          RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

                                                                                                                          func (*RunAsUserStrategyOptions) DeepCopy

                                                                                                                            DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.

                                                                                                                            func (*RunAsUserStrategyOptions) DeepCopyInto

                                                                                                                            func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)

                                                                                                                              DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                                                              type SELinuxStrategy

                                                                                                                              type SELinuxStrategy string

                                                                                                                                SELinuxStrategy denotes strategy types for generating SELinux options for a Security.

                                                                                                                                const (
                                                                                                                                	// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
                                                                                                                                	SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
                                                                                                                                	// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
                                                                                                                                	SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
                                                                                                                                )

                                                                                                                                type SELinuxStrategyOptions

                                                                                                                                type SELinuxStrategyOptions struct {
                                                                                                                                	// Rule is the strategy that will dictate the allowable labels that may be set.
                                                                                                                                	Rule SELinuxStrategy
                                                                                                                                	// SELinuxOptions required to run as; required for MustRunAs
                                                                                                                                	// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
                                                                                                                                	// +optional
                                                                                                                                	SELinuxOptions *api.SELinuxOptions
                                                                                                                                }

                                                                                                                                  SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.

                                                                                                                                  func (*SELinuxStrategyOptions) DeepCopy

                                                                                                                                    DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.

                                                                                                                                    func (*SELinuxStrategyOptions) DeepCopyInto

                                                                                                                                    func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions)

                                                                                                                                      DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                                                                      type SupplementalGroupsStrategyOptions

                                                                                                                                      type SupplementalGroupsStrategyOptions struct {
                                                                                                                                      	// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
                                                                                                                                      	// +optional
                                                                                                                                      	Rule SupplementalGroupsStrategyType
                                                                                                                                      	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
                                                                                                                                      	// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
                                                                                                                                      	// +optional
                                                                                                                                      	Ranges []IDRange
                                                                                                                                      }

                                                                                                                                        SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

                                                                                                                                        func (*SupplementalGroupsStrategyOptions) DeepCopy

                                                                                                                                          DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.

                                                                                                                                          func (*SupplementalGroupsStrategyOptions) DeepCopyInto

                                                                                                                                            DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

                                                                                                                                            type SupplementalGroupsStrategyType

                                                                                                                                            type SupplementalGroupsStrategyType string

                                                                                                                                              SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.

                                                                                                                                              const (
                                                                                                                                              	// SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid.
                                                                                                                                              	// However, when gids are specified, they have to fall in the defined range.
                                                                                                                                              	SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs"
                                                                                                                                              	// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
                                                                                                                                              	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
                                                                                                                                              	// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
                                                                                                                                              	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
                                                                                                                                              )

                                                                                                                                              Directories

                                                                                                                                              Path Synopsis
                                                                                                                                              Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
                                                                                                                                              Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
                                                                                                                                              Package policy is for any kind of policy object.
                                                                                                                                              Package policy is for any kind of policy object.