policy

package
v1.20.1-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 4, 2020 License: Apache-2.0 Imports: 5 Imported by: 530

Documentation

Index

Constants

View Source 
const AllowAllRuntimeClassNames = "*"

AllowAllRuntimeClassNames can be used as a value for the RuntimeClassStrategyOptions.allowedRuntimeClassNames field and means that any runtimeClassName is allowed.

View Source 
const GroupName = "policy"

GroupName is the group name use in this package

Variables

View Source 
var (
	// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme is a global function that registers this API group & version to a scheme
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source 
var AllowAllCapabilities api.Capability = "*"

AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities field and means that any capabilities are allowed to be requested.

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind 

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AllowedCSIDriver added in v1.14.0 

type AllowedCSIDriver struct {
	// Name is the registered name of the CSI driver
	Name string
}

AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.

func (*AllowedCSIDriver) DeepCopy added in v1.14.0 

func (in *AllowedCSIDriver) DeepCopy() *AllowedCSIDriver

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedCSIDriver.

func (*AllowedCSIDriver) DeepCopyInto added in v1.14.0 

func (in *AllowedCSIDriver) DeepCopyInto(out *AllowedCSIDriver)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AllowedFlexVolume added in v1.11.0 

type AllowedFlexVolume struct {
	// Driver is the name of the Flexvolume driver.
	Driver string
}

AllowedFlexVolume represents a single Flexvolume that is allowed to be used.

func (*AllowedFlexVolume) DeepCopy added in v1.11.0 

func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.

func (*AllowedFlexVolume) DeepCopyInto added in v1.11.0 

func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AllowedHostPath added in v1.11.0 

type AllowedHostPath struct {
	// PathPrefix is the path prefix that the host volume must match.
	// PathPrefix does not support `*`.
	// Trailing slashes are trimmed when validating the path prefix with a host path.
	//
	// Examples:
	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
	// `/foo` would not allow `/food` or `/etc/foo`
	PathPrefix string

	// when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
	ReadOnly bool
}

AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.

func (*AllowedHostPath) DeepCopy added in v1.11.0 

func (in *AllowedHostPath) DeepCopy() *AllowedHostPath

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.

func (*AllowedHostPath) DeepCopyInto added in v1.11.0 

func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Eviction added in v1.4.0 

type Eviction struct {
	metav1.TypeMeta

	// ObjectMeta describes the pod that is being evicted.
	// +optional
	metav1.ObjectMeta

	// DeleteOptions may be provided
	// +optional
	DeleteOptions *metav1.DeleteOptions
}

Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/eviction.

func (*Eviction) DeepCopy added in v1.8.0 

func (in *Eviction) DeepCopy() *Eviction

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eviction.

func (*Eviction) DeepCopyInto added in v1.8.0 

func (in *Eviction) DeepCopyInto(out *Eviction)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Eviction) DeepCopyObject added in v1.8.0 

func (in *Eviction) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type FSGroupStrategyOptions added in v1.11.0 

type FSGroupStrategyOptions struct {
	// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
	// +optional
	Rule FSGroupStrategyType
	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
	// fs group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

func (*FSGroupStrategyOptions) DeepCopy added in v1.11.0 

func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.

func (*FSGroupStrategyOptions) DeepCopyInto added in v1.11.0 

func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FSGroupStrategyType added in v1.11.0 

type FSGroupStrategyType string

FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext 

const (
	// FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied.
	// However, when FSGroups are specified, they have to fall in the defined range.
	FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs"
	// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
	// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
)

type FSType added in v1.11.0 

type FSType string

FSType gives strong typing to different file systems that are used by volumes. 

const (
	AzureFile             FSType = "azureFile"
	Flocker               FSType = "flocker"
	FlexVolume            FSType = "flexVolume"
	HostPath              FSType = "hostPath"
	EmptyDir              FSType = "emptyDir"
	GCEPersistentDisk     FSType = "gcePersistentDisk"
	AWSElasticBlockStore  FSType = "awsElasticBlockStore"
	GitRepo               FSType = "gitRepo"
	Secret                FSType = "secret"
	NFS                   FSType = "nfs"
	ISCSI                 FSType = "iscsi"
	Glusterfs             FSType = "glusterfs"
	PersistentVolumeClaim FSType = "persistentVolumeClaim"
	RBD                   FSType = "rbd"
	Cinder                FSType = "cinder"
	CephFS                FSType = "cephFS"
	DownwardAPI           FSType = "downwardAPI"
	FC                    FSType = "fc"
	ConfigMap             FSType = "configMap"
	VsphereVolume         FSType = "vsphereVolume"
	Quobyte               FSType = "quobyte"
	AzureDisk             FSType = "azureDisk"
	PhotonPersistentDisk  FSType = "photonPersistentDisk"
	StorageOS             FSType = "storageos"
	Projected             FSType = "projected"
	PortworxVolume        FSType = "portworxVolume"
	ScaleIO               FSType = "scaleIO"
	CSI                   FSType = "csi"
	All                   FSType = "*"
)

Exported FSTypes.

type HostPortRange added in v1.11.0 

type HostPortRange struct {
	// Min is the start of the range, inclusive.
	Min int32
	// Max is the end of the range, inclusive.
	Max int32
}

HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.

func (*HostPortRange) DeepCopy added in v1.11.0 

func (in *HostPortRange) DeepCopy() *HostPortRange

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.

func (*HostPortRange) DeepCopyInto added in v1.11.0 

func (in *HostPortRange) DeepCopyInto(out *HostPortRange)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IDRange added in v1.11.0 

type IDRange struct {
	// Min is the start of the range, inclusive.
	Min int64
	// Max is the end of the range, inclusive.
	Max int64
}

IDRange provides a min/max of an allowed range of IDs.

func (*IDRange) DeepCopy added in v1.11.0 

func (in *IDRange) DeepCopy() *IDRange

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.

func (*IDRange) DeepCopyInto added in v1.11.0 

func (in *IDRange) DeepCopyInto(out *IDRange)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodDisruptionBudget 

type PodDisruptionBudget struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta

	// Specification of the desired behavior of the PodDisruptionBudget.
	// +optional
	Spec PodDisruptionBudgetSpec
	// Most recently observed status of the PodDisruptionBudget.
	// +optional
	Status PodDisruptionBudgetStatus
}

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods

func (*PodDisruptionBudget) DeepCopy added in v1.8.0 

func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget.

func (*PodDisruptionBudget) DeepCopyInto added in v1.8.0 

func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodDisruptionBudget) DeepCopyObject added in v1.8.0 

func (in *PodDisruptionBudget) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodDisruptionBudgetList 

type PodDisruptionBudgetList struct {
	metav1.TypeMeta
	// +optional
	metav1.ListMeta
	Items []PodDisruptionBudget
}

PodDisruptionBudgetList is a collection of PodDisruptionBudgets.

func (*PodDisruptionBudgetList) DeepCopy added in v1.8.0 

func (in *PodDisruptionBudgetList) DeepCopy() *PodDisruptionBudgetList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetList.

func (*PodDisruptionBudgetList) DeepCopyInto added in v1.8.0 

func (in *PodDisruptionBudgetList) DeepCopyInto(out *PodDisruptionBudgetList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodDisruptionBudgetList) DeepCopyObject added in v1.8.0 

func (in *PodDisruptionBudgetList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodDisruptionBudgetSpec 

type PodDisruptionBudgetSpec struct {
	// An eviction is allowed if at least "minAvailable" pods selected by
	// "selector" will still be available after the eviction, i.e. even in the
	// absence of the evicted pod.  So for example you can prevent all voluntary
	// evictions by specifying "100%".
	// +optional
	MinAvailable *intstr.IntOrString

	// Label query over pods whose evictions are managed by the disruption
	// budget.
	// +optional
	Selector *metav1.LabelSelector

	// An eviction is allowed if at most "maxUnavailable" pods selected by
	// "selector" are unavailable after the eviction, i.e. even in absence of
	// the evicted pod. For example, one can prevent all voluntary evictions
	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
	// +optional
	MaxUnavailable *intstr.IntOrString
}

PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.

func (*PodDisruptionBudgetSpec) DeepCopy added in v1.8.0 

func (in *PodDisruptionBudgetSpec) DeepCopy() *PodDisruptionBudgetSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetSpec.

func (*PodDisruptionBudgetSpec) DeepCopyInto added in v1.8.0 

func (in *PodDisruptionBudgetSpec) DeepCopyInto(out *PodDisruptionBudgetSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodDisruptionBudgetStatus 

type PodDisruptionBudgetStatus struct {
	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
	// status information is valid only if observedGeneration equals to PDB's object generation.
	// +optional
	ObservedGeneration int64

	// DisruptedPods contains information about pods whose eviction was
	// processed by the API server eviction subresource handler but has not
	// yet been observed by the PodDisruptionBudget controller.
	// A pod will be in this map from the time when the API server processed the
	// eviction request to the time when the pod is seen by PDB controller
	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
	// and the value is the time when the API server processed the eviction request. If
	// the deletion didn't occur and a pod is still there it will be removed from
	// the list automatically by PodDisruptionBudget controller after some time.
	// If everything goes smooth this map should be empty for the most of the time.
	// Large number of entries in the map may indicate problems with pod deletions.
	// +optional
	DisruptedPods map[string]metav1.Time

	// Number of pod disruptions that are currently allowed.
	DisruptionsAllowed int32

	// current number of healthy pods
	CurrentHealthy int32

	// minimum desired number of healthy pods
	DesiredHealthy int32

	// total number of pods counted by this disruption budget
	ExpectedPods int32
}

PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.

func (*PodDisruptionBudgetStatus) DeepCopy added in v1.8.0 

func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetStatus.

func (*PodDisruptionBudgetStatus) DeepCopyInto added in v1.8.0 

func (in *PodDisruptionBudgetStatus) DeepCopyInto(out *PodDisruptionBudgetStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicy added in v1.11.0 

type PodSecurityPolicy struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta

	// Spec defines the policy enforced.
	// +optional
	Spec PodSecurityPolicySpec
}

PodSecurityPolicy governs the ability to make requests that affect the SecurityContext that will be applied to a pod and container.

func (*PodSecurityPolicy) DeepCopy added in v1.11.0 

func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.

func (*PodSecurityPolicy) DeepCopyInto added in v1.11.0 

func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicy) DeepCopyObject added in v1.11.0 

func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicyList added in v1.11.0 

type PodSecurityPolicyList struct {
	metav1.TypeMeta
	// +optional
	metav1.ListMeta

	Items []PodSecurityPolicy
}

PodSecurityPolicyList is a list of PodSecurityPolicy objects.

func (*PodSecurityPolicyList) DeepCopy added in v1.11.0 

func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.

func (*PodSecurityPolicyList) DeepCopyInto added in v1.11.0 

func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicyList) DeepCopyObject added in v1.11.0 

func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicySpec added in v1.11.0 

type PodSecurityPolicySpec struct {
	// Privileged determines if a pod can request to be run as privileged.
	// +optional
	Privileged bool
	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
	// unless the pod spec specifically drops the capability.  You may not list a capability in both
	// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
	// allowed, and need not be included in the AllowedCapabilities list.
	// +optional
	DefaultAddCapabilities []api.Capability
	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
	// are required to be dropped and cannot be added.
	// +optional
	RequiredDropCapabilities []api.Capability
	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
	// Capabilities in this field may be added at the pod author's discretion.
	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
	// To allow all capabilities you may use '*'.
	// +optional
	AllowedCapabilities []api.Capability
	// Volumes is an allowlist of volume plugins. Empty indicates that
	// no volumes may be used. To allow all volumes you may use '*'.
	// +optional
	Volumes []FSType
	// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
	// +optional
	HostNetwork bool
	// HostPorts determines which host port ranges are allowed to be exposed.
	// +optional
	HostPorts []HostPortRange
	// HostPID determines if the policy allows the use of HostPID in the pod spec.
	// +optional
	HostPID bool
	// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
	// +optional
	HostIPC bool
	// SELinux is the strategy that will dictate the allowable labels that may be set.
	SELinux SELinuxStrategyOptions
	// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
	RunAsUser RunAsUserStrategyOptions
	// RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
	// If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
	// RunAsGroup feature gate to be enabled.
	RunAsGroup *RunAsGroupStrategyOptions
	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
	SupplementalGroups SupplementalGroupsStrategyOptions
	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
	FSGroup FSGroupStrategyOptions
	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
	// system.  If the container specifically requests to run with a non-read only root file system
	// the PSP should deny the pod.
	// If set to false the container may run with a read only root file system if it wishes but it
	// will not be forced to.
	// +optional
	ReadOnlyRootFilesystem bool
	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
	// process can gain more privileges than its parent process.
	// +optional
	DefaultAllowPrivilegeEscalation *bool
	// AllowPrivilegeEscalation determines if a pod can request to allow
	// privilege escalation. If unspecified, defaults to true.
	// +optional
	AllowPrivilegeEscalation bool
	// AllowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.
	// +optional
	AllowedHostPaths []AllowedHostPath
	// AllowedFlexVolumes is an allowlist of Flexvolumes.  Empty or nil indicates that all
	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
	// is allowed in the "Volumes" field.
	// +optional
	AllowedFlexVolumes []AllowedFlexVolume
	// AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
	// An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
	// This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.
	// +optional
	AllowedCSIDrivers []AllowedCSIDriver
	// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
	// Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection.
	//
	// Examples:
	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
	// +optional
	AllowedUnsafeSysctls []string
	// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
	//
	// Examples:
	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
	// +optional
	ForbiddenSysctls []string
	// AllowedProcMountTypes is an allowlist of ProcMountTypes.
	// Empty or nil indicates that only the DefaultProcMountType may be used.
	// +optional
	AllowedProcMountTypes []api.ProcMountType
	// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
	// If this field is omitted, the pod's runtimeClassName field is unrestricted.
	// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
	// +optional
	RuntimeClass *RuntimeClassStrategyOptions
}

PodSecurityPolicySpec defines the policy enforced.

func (*PodSecurityPolicySpec) DeepCopy added in v1.11.0 

func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.

func (*PodSecurityPolicySpec) DeepCopyInto added in v1.11.0 

func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RunAsGroupStrategy added in v1.13.0 

type RunAsGroupStrategy string

RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a SecurityContext. 

const (
	// RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid.
	// However, when RunAsGroup are specified, they have to fall in the defined range.
	RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs"
	// RunAsGroupStrategyMustRunAs means that container must run as a particular gid.
	RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs"
	// RunAsGroupStrategyRunAsAny means that container may make requests for any gid.
	RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny"
)

type RunAsGroupStrategyOptions added in v1.13.0 

type RunAsGroupStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
	Rule RunAsGroupStrategy
	// Ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsGroupStrategyOptions) DeepCopy added in v1.13.0 

func (in *RunAsGroupStrategyOptions) DeepCopy() *RunAsGroupStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions.

func (*RunAsGroupStrategyOptions) DeepCopyInto added in v1.13.0 

func (in *RunAsGroupStrategyOptions) DeepCopyInto(out *RunAsGroupStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RunAsUserStrategy added in v1.11.0 

type RunAsUserStrategy string

RunAsUserStrategy denotes strategy types for generating RunAsUser values for a SecurityContext. 

const (
	// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
	RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
	// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
	RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
	// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
	RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
)

type RunAsUserStrategyOptions added in v1.11.0 

type RunAsUserStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
	Rule RunAsUserStrategy
	// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsUserStrategyOptions) DeepCopy added in v1.11.0 

func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.

func (*RunAsUserStrategyOptions) DeepCopyInto added in v1.11.0 

func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuntimeClassStrategyOptions added in v1.15.0 

type RuntimeClassStrategyOptions struct {
	// allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod.
	// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
	// list. An empty list requires the RuntimeClassName field to be unset.
	AllowedRuntimeClassNames []string
	// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
	// The default MUST be allowed by the allowedRuntimeClassNames list.
	// A value of nil does not mutate the Pod.
	// +optional
	DefaultRuntimeClassName *string
}

RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.

func (*RuntimeClassStrategyOptions) DeepCopy added in v1.15.0 

func (in *RuntimeClassStrategyOptions) DeepCopy() *RuntimeClassStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeClassStrategyOptions.

func (*RuntimeClassStrategyOptions) DeepCopyInto added in v1.15.0 

func (in *RuntimeClassStrategyOptions) DeepCopyInto(out *RuntimeClassStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SELinuxStrategy added in v1.11.0 

type SELinuxStrategy string

SELinuxStrategy denotes strategy types for generating SELinux options for a Security. 

const (
	// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
	SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
	// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
	SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
)

type SELinuxStrategyOptions added in v1.11.0 

type SELinuxStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable labels that may be set.
	Rule SELinuxStrategy
	// SELinuxOptions required to run as; required for MustRunAs
	// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
	// +optional
	SELinuxOptions *api.SELinuxOptions
}

SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.

func (*SELinuxStrategyOptions) DeepCopy added in v1.11.0 

func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.

func (*SELinuxStrategyOptions) DeepCopyInto added in v1.11.0 

func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SupplementalGroupsStrategyOptions added in v1.11.0 

type SupplementalGroupsStrategyOptions struct {
	// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
	// +optional
	Rule SupplementalGroupsStrategyType
	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
	// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

func (*SupplementalGroupsStrategyOptions) DeepCopy added in v1.11.0 

func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.

func (*SupplementalGroupsStrategyOptions) DeepCopyInto added in v1.11.0 

func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SupplementalGroupsStrategyType added in v1.11.0 

type SupplementalGroupsStrategyType string

SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext. 

const (
	// SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid.
	// However, when gids are specified, they have to fall in the defined range.
	SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs"
	// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
	// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)

Source Files

View all Source files

Directories

Path Synopsis
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
 Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
Package policy is for any kind of policy object.
 Package policy is for any kind of policy object.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.