security

package
v4.0.0-alpha.0+incompa... Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 13, 2018 License: Apache-2.0 Imports: 4 Imported by: 901

Documentation

Overview

+groupName=security.openshift.io Package api is the internal version of the API.

Index

Constants

View Source 
const (
	// container must have SELinux labels of X applied.
	SELinuxStrategyMustRunAs SELinuxContextStrategyType = "MustRunAs"
	// container may make requests for any SELinux context labels.
	SELinuxStrategyRunAsAny SELinuxContextStrategyType = "RunAsAny"

	// container must run as a particular uid.
	RunAsUserStrategyMustRunAs RunAsUserStrategyType = "MustRunAs"
	// container must run as a particular uid.
	RunAsUserStrategyMustRunAsRange RunAsUserStrategyType = "MustRunAsRange"
	// container must run as a non-root uid
	RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategyType = "MustRunAsNonRoot"
	// container may make requests for any uid.
	RunAsUserStrategyRunAsAny RunAsUserStrategyType = "RunAsAny"

	// container must have FSGroup of X applied.
	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
	// container may make requests for any FSGroup labels.
	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"

	// container must run as a particular gid.
	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
	// container may make requests for any gid.
	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)
View Source 
const (
	GroupName = "security.openshift.io"
)

Variables

View Source 
var (
	Install = schemeBuilder.AddToScheme

	// DEPRECATED kept for generated code
	SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
	// DEPRECATED kept for generated code
	AddToScheme = schemeBuilder.AddToScheme
)
View Source 
var AllowAllCapabilities core.Capability = "*"

AllowAllCapabilities can be used as a value for the SecurityContextConstraints.AllowAllCapabilities field and means that any capabilities are allowed to be requested.

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Resource kept for generated code DEPRECATED

Types

type AllowedFlexVolume 

type AllowedFlexVolume struct {
	// Driver is the name of the Flexvolume driver.
	Driver string
}

AllowedFlexVolume represents a single Flexvolume that is allowed to be used.

func (*AllowedFlexVolume) DeepCopy 

func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.

func (*AllowedFlexVolume) DeepCopyInto 

func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FSGroupStrategyOptions 

type FSGroupStrategyOptions struct {
	// Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
	Type FSGroupStrategyType
	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
	// fs group then supply a single range with the same start and end.
	Ranges []IDRange
}

FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

func (*FSGroupStrategyOptions) DeepCopy 

func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.

func (*FSGroupStrategyOptions) DeepCopyInto 

func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FSGroupStrategyType 

type FSGroupStrategyType string

FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext

type FSType 

type FSType string

FS Type gives strong typing to different file systems that are used by volumes. 

var (
	FSTypeAzureFile             FSType = "azureFile"
	FSTypeAzureDisk             FSType = "azureDisk"
	FSTypeFlocker               FSType = "flocker"
	FSTypeFlexVolume            FSType = "flexVolume"
	FSTypeHostPath              FSType = "hostPath"
	FSTypeEmptyDir              FSType = "emptyDir"
	FSTypeGCEPersistentDisk     FSType = "gcePersistentDisk"
	FSTypeAWSElasticBlockStore  FSType = "awsElasticBlockStore"
	FSTypeGitRepo               FSType = "gitRepo"
	FSTypeSecret                FSType = "secret"
	FSTypeNFS                   FSType = "nfs"
	FSTypeISCSI                 FSType = "iscsi"
	FSTypeGlusterfs             FSType = "glusterfs"
	FSTypePersistentVolumeClaim FSType = "persistentVolumeClaim"
	FSTypeRBD                   FSType = "rbd"
	FSTypeCinder                FSType = "cinder"
	FSTypeCephFS                FSType = "cephFS"
	FSTypeDownwardAPI           FSType = "downwardAPI"
	FSTypeFC                    FSType = "fc"
	FSTypeConfigMap             FSType = "configMap"
	FSTypeVsphereVolume         FSType = "vsphere"
	FSTypeQuobyte               FSType = "quobyte"
	FSTypePhotonPersistentDisk  FSType = "photonPersistentDisk"
	FSProjected                 FSType = "projected"
	FSPortworxVolume            FSType = "portworxVolume"
	FSScaleIO                   FSType = "scaleIO"
	FSStorageOS                 FSType = "storageOS"
	FSTypeAll                   FSType = "*"
	FSTypeNone                  FSType = "none"
)

type IDRange 

type IDRange struct {
	// Min is the start of the range, inclusive.
	Min int64
	// Max is the end of the range, inclusive.
	Max int64
}

IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.

func (*IDRange) DeepCopy 

func (in *IDRange) DeepCopy() *IDRange

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.

func (*IDRange) DeepCopyInto 

func (in *IDRange) DeepCopyInto(out *IDRange)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicyReview 

type PodSecurityPolicyReview struct {
	metav1.TypeMeta

	// Spec is the PodSecurityPolicy to check.
	Spec PodSecurityPolicyReviewSpec

	// Status represents the current information/status for the PodSecurityPolicyReview.
	Status PodSecurityPolicyReviewStatus
}

PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.

func (*PodSecurityPolicyReview) DeepCopy 

func (in *PodSecurityPolicyReview) DeepCopy() *PodSecurityPolicyReview

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReview.

func (*PodSecurityPolicyReview) DeepCopyInto 

func (in *PodSecurityPolicyReview) DeepCopyInto(out *PodSecurityPolicyReview)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicyReview) DeepCopyObject 

func (in *PodSecurityPolicyReview) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicyReviewSpec 

type PodSecurityPolicyReviewSpec struct {
	// Template is the PodTemplateSpec to check. The PodTemplateSpec.Spec.ServiceAccountName field is used
	// if ServiceAccountNames is empty, unless the PodTemplateSpec.Spec.ServiceAccountName is empty,
	// in which case "default" is used.
	// If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored.
	Template core.PodTemplateSpec

	// ServiceAccountNames is an optional set of ServiceAccounts to run the check with.
	// If ServiceAccountNames is empty, the PodTemplateSpec.Spec.ServiceAccountName is used,
	// unless it's empty, in which case "default" is used instead.
	// If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored.
	ServiceAccountNames []string // TODO: find a way to express 'all service accounts'
}

PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview

func (*PodSecurityPolicyReviewSpec) DeepCopy 

func (in *PodSecurityPolicyReviewSpec) DeepCopy() *PodSecurityPolicyReviewSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewSpec.

func (*PodSecurityPolicyReviewSpec) DeepCopyInto 

func (in *PodSecurityPolicyReviewSpec) DeepCopyInto(out *PodSecurityPolicyReviewSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicyReviewStatus 

type PodSecurityPolicyReviewStatus struct {
	// AllowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
	AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus
}

PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.

func (*PodSecurityPolicyReviewStatus) DeepCopy 

func (in *PodSecurityPolicyReviewStatus) DeepCopy() *PodSecurityPolicyReviewStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewStatus.

func (*PodSecurityPolicyReviewStatus) DeepCopyInto 

func (in *PodSecurityPolicyReviewStatus) DeepCopyInto(out *PodSecurityPolicyReviewStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicySelfSubjectReview 

type PodSecurityPolicySelfSubjectReview struct {
	metav1.TypeMeta

	// Spec defines specification the PodSecurityPolicySelfSubjectReview.
	Spec PodSecurityPolicySelfSubjectReviewSpec

	// Status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
	Status PodSecurityPolicySubjectReviewStatus
}

PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec.

func (*PodSecurityPolicySelfSubjectReview) DeepCopy 

func (in *PodSecurityPolicySelfSubjectReview) DeepCopy() *PodSecurityPolicySelfSubjectReview

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReview.

func (*PodSecurityPolicySelfSubjectReview) DeepCopyInto 

func (in *PodSecurityPolicySelfSubjectReview) DeepCopyInto(out *PodSecurityPolicySelfSubjectReview)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicySelfSubjectReview) DeepCopyObject 

func (in *PodSecurityPolicySelfSubjectReview) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicySelfSubjectReviewSpec 

type PodSecurityPolicySelfSubjectReviewSpec struct {
	// Template is the PodTemplateSpec to check.
	Template core.PodTemplateSpec
}

PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.

func (*PodSecurityPolicySelfSubjectReviewSpec) DeepCopy 

func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopy() *PodSecurityPolicySelfSubjectReviewSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReviewSpec.

func (*PodSecurityPolicySelfSubjectReviewSpec) DeepCopyInto 

func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySelfSubjectReviewSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicySubjectReview 

type PodSecurityPolicySubjectReview struct {
	metav1.TypeMeta

	// Spec defines specification for the PodSecurityPolicySubjectReview.
	Spec PodSecurityPolicySubjectReviewSpec

	// Status represents the current information/status for the PodSecurityPolicySubjectReview.
	Status PodSecurityPolicySubjectReviewStatus
}

PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.

func (*PodSecurityPolicySubjectReview) DeepCopy 

func (in *PodSecurityPolicySubjectReview) DeepCopy() *PodSecurityPolicySubjectReview

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReview.

func (*PodSecurityPolicySubjectReview) DeepCopyInto 

func (in *PodSecurityPolicySubjectReview) DeepCopyInto(out *PodSecurityPolicySubjectReview)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicySubjectReview) DeepCopyObject 

func (in *PodSecurityPolicySubjectReview) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicySubjectReviewSpec 

type PodSecurityPolicySubjectReviewSpec struct {
	// Template is the PodTemplateSpec to check. If PodTemplateSpec.Spec.ServiceAccountName is empty it will not be defaulted.
	// If its non-empty, it will be checked.
	Template core.PodTemplateSpec

	// User is the user you're testing for.
	// If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups.
	// If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodTemplateSpec.
	User string

	// Groups is the groups you're testing for.
	Groups []string
}

PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview

func (*PodSecurityPolicySubjectReviewSpec) DeepCopy 

func (in *PodSecurityPolicySubjectReviewSpec) DeepCopy() *PodSecurityPolicySubjectReviewSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewSpec.

func (*PodSecurityPolicySubjectReviewSpec) DeepCopyInto 

func (in *PodSecurityPolicySubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySubjectReviewSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicySubjectReviewStatus 

type PodSecurityPolicySubjectReviewStatus struct {
	// AllowedBy is a reference to the rule that allows the PodTemplateSpec.
	// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
	// A `nil`, indicates that it was denied.
	AllowedBy *core.ObjectReference

	// A machine-readable description of why this operation is in the
	// "Failure" status. If this value is empty there
	// is no information available.
	Reason string

	// Template is the PodTemplateSpec after the defaulting is applied.
	Template core.PodTemplateSpec
}

PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.

func (*PodSecurityPolicySubjectReviewStatus) DeepCopy 

func (in *PodSecurityPolicySubjectReviewStatus) DeepCopy() *PodSecurityPolicySubjectReviewStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewStatus.

func (*PodSecurityPolicySubjectReviewStatus) DeepCopyInto 

func (in *PodSecurityPolicySubjectReviewStatus) DeepCopyInto(out *PodSecurityPolicySubjectReviewStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RangeAllocation 

type RangeAllocation struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta

	// range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
	Range string

	// data is a byte array representing the serialized state of a range allocation.  It is a bitmap
	// with each bit set to one to represent a range is taken.
	Data []byte
}

RangeAllocation is used so we can easily expose a RangeAllocation typed for security group

func (*RangeAllocation) DeepCopy 

func (in *RangeAllocation) DeepCopy() *RangeAllocation

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocation.

func (*RangeAllocation) DeepCopyInto 

func (in *RangeAllocation) DeepCopyInto(out *RangeAllocation)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RangeAllocation) DeepCopyObject 

func (in *RangeAllocation) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RangeAllocationList 

type RangeAllocationList struct {
	metav1.TypeMeta

	// More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata
	metav1.ListMeta

	// List of RangeAllocations.
	Items []RangeAllocation
}

RangeAllocationList is a list of RangeAllocations objects

func (*RangeAllocationList) DeepCopy 

func (in *RangeAllocationList) DeepCopy() *RangeAllocationList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocationList.

func (*RangeAllocationList) DeepCopyInto 

func (in *RangeAllocationList) DeepCopyInto(out *RangeAllocationList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*RangeAllocationList) DeepCopyObject 

func (in *RangeAllocationList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type RunAsUserStrategyOptions 

type RunAsUserStrategyOptions struct {
	// Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
	Type RunAsUserStrategyType
	// UID is the user id that containers must run as.  Required for the MustRunAs strategy if not using
	// namespace/service account allocated uids.
	UID *int64
	// UIDRangeMin defines the min value for a strategy that allocates by range.
	UIDRangeMin *int64
	// UIDRangeMax defines the max value for a strategy that allocates by range.
	UIDRangeMax *int64
}

RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsUserStrategyOptions) DeepCopy 

func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.

func (*RunAsUserStrategyOptions) DeepCopyInto 

func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RunAsUserStrategyType 

type RunAsUserStrategyType string

RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a SecurityContext

type SELinuxContextStrategyOptions 

type SELinuxContextStrategyOptions struct {
	// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
	Type SELinuxContextStrategyType
	// seLinuxOptions required to run as; required for MustRunAs
	SELinuxOptions *core.SELinuxOptions
}

SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.

func (*SELinuxContextStrategyOptions) DeepCopy 

func (in *SELinuxContextStrategyOptions) DeepCopy() *SELinuxContextStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxContextStrategyOptions.

func (*SELinuxContextStrategyOptions) DeepCopyInto 

func (in *SELinuxContextStrategyOptions) DeepCopyInto(out *SELinuxContextStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SELinuxContextStrategyType 

type SELinuxContextStrategyType string

SELinuxContextStrategyType denotes strategy types for generating SELinux options for a SecurityContext

type SecurityContextConstraints 

type SecurityContextConstraints struct {
	metav1.TypeMeta
	metav1.ObjectMeta

	// Priority influences the sort order of SCCs when evaluating which SCCs to try first for
	// a given pod request based on access in the Users and Groups fields.  The higher the int, the
	// higher priority. An unset value is considered a 0 priority. If scores
	// for multiple SCCs are equal they will be sorted from most restrictive to
	// least restrictive. If both priorities and restrictions are equal the
	// SCCs will be sorted by name.
	Priority *int32

	// AllowPrivilegedContainer determines if a container can request to be run as privileged.
	AllowPrivilegedContainer bool
	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
	// unless the pod spec specifically drops the capability.  You may not list a capabiility in both
	// DefaultAddCapabilities and RequiredDropCapabilities.
	DefaultAddCapabilities []core.Capability
	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
	// are required to be dropped and cannot be added.
	RequiredDropCapabilities []core.Capability
	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
	// Capabilities in this field maybe added at the pod author's discretion.
	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
	// To allow all capabilities you may use '*'.
	AllowedCapabilities []core.Capability
	// Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names
	// of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
	// To allow no volumes, set to ["none"].
	Volumes []FSType
	// AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
	// is allowed in the "Volumes" field.
	// +optional
	AllowedFlexVolumes []AllowedFlexVolume
	// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
	AllowHostNetwork bool
	// AllowHostPorts determines if the policy allows host ports in the containers.
	AllowHostPorts bool
	// AllowHostPID determines if the policy allows host pid in the containers.
	AllowHostPID bool
	// AllowHostIPC determines if the policy allows host ipc in the containers.
	AllowHostIPC bool
	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
	// process can gain more privileges than its parent process.
	// +optional
	DefaultAllowPrivilegeEscalation *bool
	// AllowPrivilegeEscalation determines if a pod can request to allow
	// privilege escalation. If unspecified, defaults to true.
	// +optional
	AllowPrivilegeEscalation *bool
	// SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
	SELinuxContext SELinuxContextStrategyOptions
	// RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
	RunAsUser RunAsUserStrategyOptions
	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
	SupplementalGroups SupplementalGroupsStrategyOptions
	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
	FSGroup FSGroupStrategyOptions
	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
	// system.  If the container specifically requests to run with a non-read only root file system
	// the SCC should deny the pod.
	// If set to false the container may run with a read only root file system if it wishes but it
	// will not be forced to.
	ReadOnlyRootFilesystem bool
	// SeccompProfiles lists the allowed profiles that may be set for the pod or
	// container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
	// be specifid by the pod or container.	The wildcard '*' may be used to allow all profiles.  When
	// used to generate a value for a pod the first non-wildcard profile will be used as
	// the default.
	SeccompProfiles []string

	// The users who have permissions to use this security context constraints
	Users []string
	// The groups that have permission to use this security context constraints
	Groups []string

	// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
	// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
	//
	// Examples:
	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
	// +optional
	AllowedUnsafeSysctls []string
	// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
	//
	// Examples:
	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
	// +optional
	ForbiddenSysctls []string
}

SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container.

func (*SecurityContextConstraints) DeepCopy 

func (in *SecurityContextConstraints) DeepCopy() *SecurityContextConstraints

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraints.

func (*SecurityContextConstraints) DeepCopyInto 

func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstraints)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*SecurityContextConstraints) DeepCopyObject 

func (in *SecurityContextConstraints) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type SecurityContextConstraintsList 

type SecurityContextConstraintsList struct {
	metav1.TypeMeta
	metav1.ListMeta

	Items []SecurityContextConstraints
}

SecurityContextConstraintsList is a list of SecurityContextConstraints objects

func (*SecurityContextConstraintsList) DeepCopy 

func (in *SecurityContextConstraintsList) DeepCopy() *SecurityContextConstraintsList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraintsList.

func (*SecurityContextConstraintsList) DeepCopyInto 

func (in *SecurityContextConstraintsList) DeepCopyInto(out *SecurityContextConstraintsList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*SecurityContextConstraintsList) DeepCopyObject 

func (in *SecurityContextConstraintsList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ServiceAccountPodSecurityPolicyReviewStatus 

type ServiceAccountPodSecurityPolicyReviewStatus struct {
	PodSecurityPolicySubjectReviewStatus

	// Name contains the allowed and the denied ServiceAccount name
	Name string
}

ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status

func (*ServiceAccountPodSecurityPolicyReviewStatus) DeepCopy 

func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopy() *ServiceAccountPodSecurityPolicyReviewStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountPodSecurityPolicyReviewStatus.

func (*ServiceAccountPodSecurityPolicyReviewStatus) DeepCopyInto 

func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopyInto(out *ServiceAccountPodSecurityPolicyReviewStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SupplementalGroupsStrategyOptions 

type SupplementalGroupsStrategyOptions struct {
	// Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
	Type SupplementalGroupsStrategyType
	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
	// supplemental group then supply a single range with the same start and end.
	Ranges []IDRange
}

SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

func (*SupplementalGroupsStrategyOptions) DeepCopy 

func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.

func (*SupplementalGroupsStrategyOptions) DeepCopyInto 

func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SupplementalGroupsStrategyType 

type SupplementalGroupsStrategyType string

SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.

Source Files

View all Source files

Directories

Path Synopsis
+groupName=security.openshift.io Package v1 is the v1 version of the API.
 +groupName=security.openshift.io Package v1 is the v1 version of the API.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.