security

package
v3.6.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 30, 2017 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Overview

+groupName=security.openshift.io Package api is the internal version of the API.

Index

Constants

View Source
const (
	GroupName       = "security.openshift.io"
	LegacyGroupName = ""
)
View Source
const (
	// container must have SELinux labels of X applied.
	SELinuxStrategyMustRunAs SELinuxContextStrategyType = "MustRunAs"
	// container may make requests for any SELinux context labels.
	SELinuxStrategyRunAsAny SELinuxContextStrategyType = "RunAsAny"

	// container must run as a particular uid.
	RunAsUserStrategyMustRunAs RunAsUserStrategyType = "MustRunAs"
	// container must run as a particular uid.
	RunAsUserStrategyMustRunAsRange RunAsUserStrategyType = "MustRunAsRange"
	// container must run as a non-root uid
	RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategyType = "MustRunAsNonRoot"
	// container may make requests for any uid.
	RunAsUserStrategyRunAsAny RunAsUserStrategyType = "RunAsAny"

	// container must have FSGroup of X applied.
	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
	// container may make requests for any FSGroup labels.
	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"

	// container must run as a particular gid.
	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
	// container may make requests for any gid.
	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)

Variables

View Source
var (
	SchemeGroupVersion       = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
	LegacySchemeGroupVersion = schema.GroupVersion{Group: LegacyGroupName, Version: runtime.APIVersionInternal}

	LegacySchemeBuilder    = runtime.NewSchemeBuilder(addLegacyKnownTypes)
	AddToSchemeInCoreGroup = LegacySchemeBuilder.AddToScheme

	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	AddToScheme   = SchemeBuilder.AddToScheme
)

SchemeGroupVersion is group version used to register these objects

Functions

func DeepCopy_security_FSGroupStrategyOptions

func DeepCopy_security_FSGroupStrategyOptions(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_IDRange

func DeepCopy_security_IDRange(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicyReview

func DeepCopy_security_PodSecurityPolicyReview(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicyReviewSpec

func DeepCopy_security_PodSecurityPolicyReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicyReviewStatus

func DeepCopy_security_PodSecurityPolicyReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicySelfSubjectReview

func DeepCopy_security_PodSecurityPolicySelfSubjectReview(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicySelfSubjectReviewSpec

func DeepCopy_security_PodSecurityPolicySelfSubjectReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicySubjectReview

func DeepCopy_security_PodSecurityPolicySubjectReview(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicySubjectReviewSpec

func DeepCopy_security_PodSecurityPolicySubjectReviewSpec(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_PodSecurityPolicySubjectReviewStatus

func DeepCopy_security_PodSecurityPolicySubjectReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_RunAsUserStrategyOptions

func DeepCopy_security_RunAsUserStrategyOptions(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_SELinuxContextStrategyOptions

func DeepCopy_security_SELinuxContextStrategyOptions(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_SecurityContextConstraints

func DeepCopy_security_SecurityContextConstraints(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_SecurityContextConstraintsList

func DeepCopy_security_SecurityContextConstraintsList(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_ServiceAccountPodSecurityPolicyReviewStatus

func DeepCopy_security_ServiceAccountPodSecurityPolicyReviewStatus(in interface{}, out interface{}, c *conversion.Cloner) error

func DeepCopy_security_SupplementalGroupsStrategyOptions

func DeepCopy_security_SupplementalGroupsStrategyOptions(in interface{}, out interface{}, c *conversion.Cloner) error

func IsKindOrLegacy

func IsKindOrLegacy(kind string, gk schema.GroupKind) bool

IsKindOrLegacy checks if the provided GroupKind matches with the given kind by looking up the API group and also the legacy API.

func IsResourceOrLegacy

func IsResourceOrLegacy(resource string, gr schema.GroupResource) bool

IsResourceOrLegacy checks if the provided GroupResources matches with the given resource by looking up the API group and also the legacy API.

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns back a Group qualified GroupKind

func LegacyKind

func LegacyKind(kind string) schema.GroupKind

func LegacyResource

func LegacyResource(resource string) schema.GroupResource

func RegisterDeepCopies

func RegisterDeepCopies(scheme *runtime.Scheme) error

RegisterDeepCopies adds deep-copy functions to the given scheme. Public to allow building arbitrary schemes.

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns back a Group qualified GroupResource

Types

type FSGroupStrategyOptions

type FSGroupStrategyOptions struct {
	// Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
	Type FSGroupStrategyType
	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
	// fs group then supply a single range with the same start and end.
	Ranges []IDRange
}

FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

type FSGroupStrategyType

type FSGroupStrategyType string

FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext

type FSType

type FSType string

FS Type gives strong typing to different file systems that are used by volumes.

var (
	FSTypeAzureFile             FSType = "azureFile"
	FSTypeAzureDisk             FSType = "azureDisk"
	FSTypeFlocker               FSType = "flocker"
	FSTypeFlexVolume            FSType = "flexVolume"
	FSTypeHostPath              FSType = "hostPath"
	FSTypeEmptyDir              FSType = "emptyDir"
	FSTypeGCEPersistentDisk     FSType = "gcePersistentDisk"
	FSTypeAWSElasticBlockStore  FSType = "awsElasticBlockStore"
	FSTypeGitRepo               FSType = "gitRepo"
	FSTypeSecret                FSType = "secret"
	FSTypeNFS                   FSType = "nfs"
	FSTypeISCSI                 FSType = "iscsi"
	FSTypeGlusterfs             FSType = "glusterfs"
	FSTypePersistentVolumeClaim FSType = "persistentVolumeClaim"
	FSTypeRBD                   FSType = "rbd"
	FSTypeCinder                FSType = "cinder"
	FSTypeCephFS                FSType = "cephFS"
	FSTypeDownwardAPI           FSType = "downwardAPI"
	FSTypeFC                    FSType = "fc"
	FSTypeConfigMap             FSType = "configMap"
	FSTypeVsphereVolume         FSType = "vsphere"
	FSTypeQuobyte               FSType = "quobyte"
	FSTypePhotonPersistentDisk  FSType = "photonPersistentDisk"
	FSProjected                 FSType = "projected"
	FSPortworxVolume            FSType = "portworxVolume"
	FSScaleIO                   FSType = "scaleIO"
	FSTypeAll                   FSType = "*"
	FSTypeNone                  FSType = "none"
)

type IDRange

type IDRange struct {
	// Min is the start of the range, inclusive.
	Min int64
	// Max is the end of the range, inclusive.
	Max int64
}

IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.

type PodSecurityPolicyReview

type PodSecurityPolicyReview struct {
	metav1.TypeMeta

	// Spec is the PodSecurityPolicy to check.
	Spec PodSecurityPolicyReviewSpec

	// Status represents the current information/status for the PodSecurityPolicyReview.
	Status PodSecurityPolicyReviewStatus
}

PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.

type PodSecurityPolicyReviewSpec

type PodSecurityPolicyReviewSpec struct {
	// Template is the PodTemplateSpec to check. The PodTemplateSpec.Spec.ServiceAccountName field is used
	// if ServiceAccountNames is empty, unless the PodTemplateSpec.Spec.ServiceAccountName is empty,
	// in which case "default" is used.
	// If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored.
	Template kapi.PodTemplateSpec

	// ServiceAccountNames is an optional set of ServiceAccounts to run the check with.
	// If ServiceAccountNames is empty, the PodTemplateSpec.Spec.ServiceAccountName is used,
	// unless it's empty, in which case "default" is used instead.
	// If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored.
	ServiceAccountNames []string // TODO: find a way to express 'all service accounts'
}

PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview

type PodSecurityPolicyReviewStatus

type PodSecurityPolicyReviewStatus struct {
	// AllowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
	AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus
}

PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.

type PodSecurityPolicySelfSubjectReview

type PodSecurityPolicySelfSubjectReview struct {
	metav1.TypeMeta

	// Spec defines specification the PodSecurityPolicySelfSubjectReview.
	Spec PodSecurityPolicySelfSubjectReviewSpec

	// Status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
	Status PodSecurityPolicySubjectReviewStatus
}

PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec.

type PodSecurityPolicySelfSubjectReviewSpec

type PodSecurityPolicySelfSubjectReviewSpec struct {
	// Template is the PodTemplateSpec to check.
	Template kapi.PodTemplateSpec
}

PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.

type PodSecurityPolicySubjectReview

type PodSecurityPolicySubjectReview struct {
	metav1.TypeMeta

	// Spec defines specification for the PodSecurityPolicySubjectReview.
	Spec PodSecurityPolicySubjectReviewSpec

	// Status represents the current information/status for the PodSecurityPolicySubjectReview.
	Status PodSecurityPolicySubjectReviewStatus
}

PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.

type PodSecurityPolicySubjectReviewSpec

type PodSecurityPolicySubjectReviewSpec struct {
	// Template is the PodTemplateSpec to check. If PodTemplateSpec.Spec.ServiceAccountName is empty it will not be defaulted.
	// If its non-empty, it will be checked.
	Template kapi.PodTemplateSpec

	// User is the user you're testing for.
	// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups.
	// If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodTemplateSpec.
	User string

	// Groups is the groups you're testing for.
	Groups []string
}

PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview

type PodSecurityPolicySubjectReviewStatus

type PodSecurityPolicySubjectReviewStatus struct {
	// AllowedBy is a reference to the rule that allows the PodTemplateSpec.
	// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
	// A `nil`, indicates that it was denied.
	AllowedBy *kapi.ObjectReference

	// A machine-readable description of why this operation is in the
	// "Failure" status. If this value is empty there
	// is no information available.
	Reason string

	// Template is the PodTemplateSpec after the defaulting is applied.
	Template kapi.PodTemplateSpec
}

PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.

type RunAsUserStrategyOptions

type RunAsUserStrategyOptions struct {
	// Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
	Type RunAsUserStrategyType
	// UID is the user id that containers must run as.  Required for the MustRunAs strategy if not using
	// namespace/service account allocated uids.
	UID *int64
	// UIDRangeMin defines the min value for a strategy that allocates by range.
	UIDRangeMin *int64
	// UIDRangeMax defines the max value for a strategy that allocates by range.
	UIDRangeMax *int64
}

RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

type RunAsUserStrategyType

type RunAsUserStrategyType string

RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a SecurityContext

type SELinuxContextStrategyOptions

type SELinuxContextStrategyOptions struct {
	// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
	Type SELinuxContextStrategyType
	// seLinuxOptions required to run as; required for MustRunAs
	SELinuxOptions *kapi.SELinuxOptions
}

SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.

type SELinuxContextStrategyType

type SELinuxContextStrategyType string

SELinuxContextStrategyType denotes strategy types for generating SELinux options for a SecurityContext

type SecurityContextConstraints

type SecurityContextConstraints struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Priority influences the sort order of SCCs when evaluating which SCCs to try first for
	// a given pod request based on access in the Users and Groups fields.  The higher the int, the
	// higher priority.  If scores for multiple SCCs are equal they will be sorted by name.
	Priority *int32

	// AllowPrivilegedContainer determines if a container can request to be run as privileged.
	AllowPrivilegedContainer bool
	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
	// unless the pod spec specifically drops the capability.  You may not list a capabiility in both
	// DefaultAddCapabilities and RequiredDropCapabilities.
	DefaultAddCapabilities []kapi.Capability
	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
	// are required to be dropped and cannot be added.
	RequiredDropCapabilities []kapi.Capability
	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
	// Capabilities in this field maybe added at the pod author's discretion.
	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
	// To allow all capabilities you may use '*'.
	AllowedCapabilities []kapi.Capability
	// Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names
	// of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
	// To allow no volumes, set to ["none"].
	Volumes []FSType
	// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
	AllowHostNetwork bool
	// AllowHostPorts determines if the policy allows host ports in the containers.
	AllowHostPorts bool
	// AllowHostPID determines if the policy allows host pid in the containers.
	AllowHostPID bool
	// AllowHostIPC determines if the policy allows host ipc in the containers.
	AllowHostIPC bool
	// SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
	SELinuxContext SELinuxContextStrategyOptions
	// RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
	RunAsUser RunAsUserStrategyOptions
	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
	SupplementalGroups SupplementalGroupsStrategyOptions
	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
	FSGroup FSGroupStrategyOptions
	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
	// system.  If the container specifically requests to run with a non-read only root file system
	// the SCC should deny the pod.
	// If set to false the container may run with a read only root file system if it wishes but it
	// will not be forced to.
	ReadOnlyRootFilesystem bool
	// SeccompProfiles lists the allowed profiles that may be set for the pod or
	// container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
	// be specifid by the pod or container.	The wildcard '*' may be used to allow all profiles.  When
	// used to generate a value for a pod the first non-wildcard profile will be used as
	// the default.
	SeccompProfiles []string

	// The users who have permissions to use this security context constraints
	Users []string
	// The groups that have permission to use this security context constraints
	Groups []string
}

SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container.

type SecurityContextConstraintsList

type SecurityContextConstraintsList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []SecurityContextConstraints
}

SecurityContextConstraintsList is a list of SecurityContextConstraints objects

type ServiceAccountPodSecurityPolicyReviewStatus

type ServiceAccountPodSecurityPolicyReviewStatus struct {
	PodSecurityPolicySubjectReviewStatus

	// Name contains the allowed and the denied ServiceAccount name
	Name string
}

ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status

type SupplementalGroupsStrategyOptions

type SupplementalGroupsStrategyOptions struct {
	// Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
	Type SupplementalGroupsStrategyType
	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
	// supplemental group then supply a single range with the same start and end.
	Ranges []IDRange
}

SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

type SupplementalGroupsStrategyType

type SupplementalGroupsStrategyType string

SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.

Directories

Path Synopsis
+groupName=security.openshift.io Package v1 is the v1 version of the API.
+groupName=security.openshift.io Package v1 is the v1 version of the API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL