Documentation ¶
Overview ¶
+groupName=security.openshift.io Package api is the internal version of the API.
Index ¶
- Constants
- Variables
- func IsKindOrLegacy(kind string, gk schema.GroupKind) bool
- func IsResourceOrLegacy(resource string, gr schema.GroupResource) bool
- func Kind(kind string) schema.GroupKind
- func LegacyKind(kind string) schema.GroupKind
- func LegacyResource(resource string) schema.GroupResource
- func Resource(resource string) schema.GroupResource
- type AllowedFlexVolume
- type FSGroupStrategyOptions
- type FSGroupStrategyType
- type FSType
- type IDRange
- type PodSecurityPolicyReview
- type PodSecurityPolicyReviewSpec
- type PodSecurityPolicyReviewStatus
- type PodSecurityPolicySelfSubjectReview
- type PodSecurityPolicySelfSubjectReviewSpec
- type PodSecurityPolicySubjectReview
- type PodSecurityPolicySubjectReviewSpec
- type PodSecurityPolicySubjectReviewStatus
- type RangeAllocation
- type RangeAllocationList
- type RunAsUserStrategyOptions
- type RunAsUserStrategyType
- type SELinuxContextStrategyOptions
- type SELinuxContextStrategyType
- type SecurityContextConstraints
- type SecurityContextConstraintsList
- type ServiceAccountPodSecurityPolicyReviewStatus
- type SupplementalGroupsStrategyOptions
- type SupplementalGroupsStrategyType
Constants ¶
const ( GroupName = "security.openshift.io" LegacyGroupName = "" )
const ( // container must have SELinux labels of X applied. SELinuxStrategyMustRunAs SELinuxContextStrategyType = "MustRunAs" // container may make requests for any SELinux context labels. SELinuxStrategyRunAsAny SELinuxContextStrategyType = "RunAsAny" // container must run as a particular uid. RunAsUserStrategyMustRunAs RunAsUserStrategyType = "MustRunAs" // container must run as a particular uid. RunAsUserStrategyMustRunAsRange RunAsUserStrategyType = "MustRunAsRange" // container must run as a non-root uid RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategyType = "MustRunAsNonRoot" // container may make requests for any uid. RunAsUserStrategyRunAsAny RunAsUserStrategyType = "RunAsAny" // container must have FSGroup of X applied. FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" // container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" // container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" // container may make requests for any gid. SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" )
Variables ¶
var ( SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal} LegacySchemeGroupVersion = schema.GroupVersion{Group: LegacyGroupName, Version: runtime.APIVersionInternal} LegacySchemeBuilder = runtime.NewSchemeBuilder(addLegacyKnownTypes) AddToSchemeInCoreGroup = LegacySchemeBuilder.AddToScheme SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
SchemeGroupVersion is group version used to register these objects
var AllowAllCapabilities kapi.Capability = "*"
AllowAllCapabilities can be used as a value for the SecurityContextConstraints.AllowAllCapabilities field and means that any capabilities are allowed to be requested.
Functions ¶
func IsKindOrLegacy ¶
IsKindOrLegacy checks if the provided GroupKind matches with the given kind by looking up the API group and also the legacy API.
func IsResourceOrLegacy ¶
func IsResourceOrLegacy(resource string, gr schema.GroupResource) bool
IsResourceOrLegacy checks if the provided GroupResources matches with the given resource by looking up the API group and also the legacy API.
func LegacyKind ¶
func LegacyResource ¶
func LegacyResource(resource string) schema.GroupResource
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns back a Group qualified GroupResource
Types ¶
type AllowedFlexVolume ¶
type AllowedFlexVolume struct { // Driver is the name of the Flexvolume driver. Driver string }
AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
func (*AllowedFlexVolume) DeepCopy ¶
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
func (*AllowedFlexVolume) DeepCopyInto ¶
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FSGroupStrategyOptions ¶
type FSGroupStrategyOptions struct { // Type is the strategy that will dictate what FSGroup is used in the SecurityContext. Type FSGroupStrategyType // Ranges are the allowed ranges of fs groups. If you would like to force a single // fs group then supply a single range with the same start and end. Ranges []IDRange }
FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
func (*FSGroupStrategyOptions) DeepCopy ¶
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
func (*FSGroupStrategyOptions) DeepCopyInto ¶
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FSGroupStrategyType ¶
type FSGroupStrategyType string
FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext
type FSType ¶
type FSType string
FS Type gives strong typing to different file systems that are used by volumes.
var ( FSTypeAzureFile FSType = "azureFile" FSTypeAzureDisk FSType = "azureDisk" FSTypeFlocker FSType = "flocker" FSTypeFlexVolume FSType = "flexVolume" FSTypeHostPath FSType = "hostPath" FSTypeEmptyDir FSType = "emptyDir" FSTypeGCEPersistentDisk FSType = "gcePersistentDisk" FSTypeAWSElasticBlockStore FSType = "awsElasticBlockStore" FSTypeGitRepo FSType = "gitRepo" FSTypeSecret FSType = "secret" FSTypeNFS FSType = "nfs" FSTypeISCSI FSType = "iscsi" FSTypeGlusterfs FSType = "glusterfs" FSTypePersistentVolumeClaim FSType = "persistentVolumeClaim" FSTypeRBD FSType = "rbd" FSTypeCinder FSType = "cinder" FSTypeCephFS FSType = "cephFS" FSTypeDownwardAPI FSType = "downwardAPI" FSTypeFC FSType = "fc" FSTypeConfigMap FSType = "configMap" FSTypeVsphereVolume FSType = "vsphere" FSTypeQuobyte FSType = "quobyte" FSTypePhotonPersistentDisk FSType = "photonPersistentDisk" FSProjected FSType = "projected" FSPortworxVolume FSType = "portworxVolume" FSScaleIO FSType = "scaleIO" FSStorageOS FSType = "storageOS" FSTypeAll FSType = "*" FSTypeNone FSType = "none" )
type IDRange ¶
type IDRange struct { // Min is the start of the range, inclusive. Min int64 // Max is the end of the range, inclusive. Max int64 }
IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.
func (*IDRange) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.
func (*IDRange) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicyReview ¶
type PodSecurityPolicyReview struct { metav1.TypeMeta // Spec is the PodSecurityPolicy to check. Spec PodSecurityPolicyReviewSpec // Status represents the current information/status for the PodSecurityPolicyReview. Status PodSecurityPolicyReviewStatus }
PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
func (*PodSecurityPolicyReview) DeepCopy ¶
func (in *PodSecurityPolicyReview) DeepCopy() *PodSecurityPolicyReview
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReview.
func (*PodSecurityPolicyReview) DeepCopyInto ¶
func (in *PodSecurityPolicyReview) DeepCopyInto(out *PodSecurityPolicyReview)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicyReview) DeepCopyObject ¶
func (in *PodSecurityPolicyReview) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicyReviewSpec ¶
type PodSecurityPolicyReviewSpec struct { // Template is the PodTemplateSpec to check. The PodTemplateSpec.Spec.ServiceAccountName field is used // if ServiceAccountNames is empty, unless the PodTemplateSpec.Spec.ServiceAccountName is empty, // in which case "default" is used. // If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored. Template kapi.PodTemplateSpec // ServiceAccountNames is an optional set of ServiceAccounts to run the check with. // If ServiceAccountNames is empty, the PodTemplateSpec.Spec.ServiceAccountName is used, // unless it's empty, in which case "default" is used instead. // If ServiceAccountNames is specified, PodTemplateSpec.Spec.ServiceAccountName is ignored. ServiceAccountNames []string // TODO: find a way to express 'all service accounts' }
PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
func (*PodSecurityPolicyReviewSpec) DeepCopy ¶
func (in *PodSecurityPolicyReviewSpec) DeepCopy() *PodSecurityPolicyReviewSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewSpec.
func (*PodSecurityPolicyReviewSpec) DeepCopyInto ¶
func (in *PodSecurityPolicyReviewSpec) DeepCopyInto(out *PodSecurityPolicyReviewSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicyReviewStatus ¶
type PodSecurityPolicyReviewStatus struct { // AllowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec. AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus }
PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
func (*PodSecurityPolicyReviewStatus) DeepCopy ¶
func (in *PodSecurityPolicyReviewStatus) DeepCopy() *PodSecurityPolicyReviewStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewStatus.
func (*PodSecurityPolicyReviewStatus) DeepCopyInto ¶
func (in *PodSecurityPolicyReviewStatus) DeepCopyInto(out *PodSecurityPolicyReviewStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicySelfSubjectReview ¶
type PodSecurityPolicySelfSubjectReview struct { metav1.TypeMeta // Spec defines specification the PodSecurityPolicySelfSubjectReview. Spec PodSecurityPolicySelfSubjectReviewSpec // Status represents the current information/status for the PodSecurityPolicySelfSubjectReview. Status PodSecurityPolicySubjectReviewStatus }
PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec.
func (*PodSecurityPolicySelfSubjectReview) DeepCopy ¶
func (in *PodSecurityPolicySelfSubjectReview) DeepCopy() *PodSecurityPolicySelfSubjectReview
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReview.
func (*PodSecurityPolicySelfSubjectReview) DeepCopyInto ¶
func (in *PodSecurityPolicySelfSubjectReview) DeepCopyInto(out *PodSecurityPolicySelfSubjectReview)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicySelfSubjectReview) DeepCopyObject ¶
func (in *PodSecurityPolicySelfSubjectReview) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicySelfSubjectReviewSpec ¶
type PodSecurityPolicySelfSubjectReviewSpec struct { // Template is the PodTemplateSpec to check. Template kapi.PodTemplateSpec }
PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
func (*PodSecurityPolicySelfSubjectReviewSpec) DeepCopy ¶
func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopy() *PodSecurityPolicySelfSubjectReviewSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReviewSpec.
func (*PodSecurityPolicySelfSubjectReviewSpec) DeepCopyInto ¶
func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySelfSubjectReviewSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicySubjectReview ¶
type PodSecurityPolicySubjectReview struct { metav1.TypeMeta // Spec defines specification for the PodSecurityPolicySubjectReview. Spec PodSecurityPolicySubjectReviewSpec // Status represents the current information/status for the PodSecurityPolicySubjectReview. Status PodSecurityPolicySubjectReviewStatus }
PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
func (*PodSecurityPolicySubjectReview) DeepCopy ¶
func (in *PodSecurityPolicySubjectReview) DeepCopy() *PodSecurityPolicySubjectReview
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReview.
func (*PodSecurityPolicySubjectReview) DeepCopyInto ¶
func (in *PodSecurityPolicySubjectReview) DeepCopyInto(out *PodSecurityPolicySubjectReview)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicySubjectReview) DeepCopyObject ¶
func (in *PodSecurityPolicySubjectReview) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicySubjectReviewSpec ¶
type PodSecurityPolicySubjectReviewSpec struct { // Template is the PodTemplateSpec to check. If PodTemplateSpec.Spec.ServiceAccountName is empty it will not be defaulted. // If its non-empty, it will be checked. Template kapi.PodTemplateSpec // User is the user you're testing for. // If you specify "User" but not "Group", then is it interpreted as "What if User were not a member of any groups. // If User and Groups are empty, then the check is performed using *only* the ServiceAccountName in the PodTemplateSpec. User string // Groups is the groups you're testing for. Groups []string }
PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
func (*PodSecurityPolicySubjectReviewSpec) DeepCopy ¶
func (in *PodSecurityPolicySubjectReviewSpec) DeepCopy() *PodSecurityPolicySubjectReviewSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewSpec.
func (*PodSecurityPolicySubjectReviewSpec) DeepCopyInto ¶
func (in *PodSecurityPolicySubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySubjectReviewSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicySubjectReviewStatus ¶
type PodSecurityPolicySubjectReviewStatus struct { // AllowedBy is a reference to the rule that allows the PodTemplateSpec. // A rule can be a SecurityContextConstraint or a PodSecurityPolicy // A `nil`, indicates that it was denied. AllowedBy *kapi.ObjectReference // A machine-readable description of why this operation is in the // "Failure" status. If this value is empty there // is no information available. Reason string // Template is the PodTemplateSpec after the defaulting is applied. Template kapi.PodTemplateSpec }
PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
func (*PodSecurityPolicySubjectReviewStatus) DeepCopy ¶
func (in *PodSecurityPolicySubjectReviewStatus) DeepCopy() *PodSecurityPolicySubjectReviewStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewStatus.
func (*PodSecurityPolicySubjectReviewStatus) DeepCopyInto ¶
func (in *PodSecurityPolicySubjectReviewStatus) DeepCopyInto(out *PodSecurityPolicySubjectReviewStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RangeAllocation ¶
type RangeAllocation struct { metav1.TypeMeta // +optional metav1.ObjectMeta // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000". Range string // data is a byte array representing the serialized state of a range allocation. It is a bitmap // with each bit set to one to represent a range is taken. Data []byte }
RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
func (*RangeAllocation) DeepCopy ¶
func (in *RangeAllocation) DeepCopy() *RangeAllocation
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocation.
func (*RangeAllocation) DeepCopyInto ¶
func (in *RangeAllocation) DeepCopyInto(out *RangeAllocation)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*RangeAllocation) DeepCopyObject ¶
func (in *RangeAllocation) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type RangeAllocationList ¶
type RangeAllocationList struct { metav1.TypeMeta // More info: http://releases.k8s.io/HEAD/docs/devel/api-conventions.md#metadata metav1.ListMeta // List of RangeAllocations. Items []RangeAllocation }
RangeAllocationList is a list of RangeAllocations objects
func (*RangeAllocationList) DeepCopy ¶
func (in *RangeAllocationList) DeepCopy() *RangeAllocationList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocationList.
func (*RangeAllocationList) DeepCopyInto ¶
func (in *RangeAllocationList) DeepCopyInto(out *RangeAllocationList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*RangeAllocationList) DeepCopyObject ¶
func (in *RangeAllocationList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type RunAsUserStrategyOptions ¶
type RunAsUserStrategyOptions struct { // Type is the strategy that will dictate what RunAsUser is used in the SecurityContext. Type RunAsUserStrategyType // UID is the user id that containers must run as. Required for the MustRunAs strategy if not using // namespace/service account allocated uids. UID *int64 // UIDRangeMin defines the min value for a strategy that allocates by range. UIDRangeMin *int64 // UIDRangeMax defines the max value for a strategy that allocates by range. UIDRangeMax *int64 }
RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
func (*RunAsUserStrategyOptions) DeepCopy ¶
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
func (*RunAsUserStrategyOptions) DeepCopyInto ¶
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RunAsUserStrategyType ¶
type RunAsUserStrategyType string
RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a SecurityContext
type SELinuxContextStrategyOptions ¶
type SELinuxContextStrategyOptions struct { // Type is the strategy that will dictate what SELinux context is used in the SecurityContext. Type SELinuxContextStrategyType // seLinuxOptions required to run as; required for MustRunAs SELinuxOptions *kapi.SELinuxOptions }
SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
func (*SELinuxContextStrategyOptions) DeepCopy ¶
func (in *SELinuxContextStrategyOptions) DeepCopy() *SELinuxContextStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxContextStrategyOptions.
func (*SELinuxContextStrategyOptions) DeepCopyInto ¶
func (in *SELinuxContextStrategyOptions) DeepCopyInto(out *SELinuxContextStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SELinuxContextStrategyType ¶
type SELinuxContextStrategyType string
SELinuxContextStrategyType denotes strategy types for generating SELinux options for a SecurityContext
type SecurityContextConstraints ¶
type SecurityContextConstraints struct { metav1.TypeMeta metav1.ObjectMeta // Priority influences the sort order of SCCs when evaluating which SCCs to try first for // a given pod request based on access in the Users and Groups fields. The higher the int, the // higher priority. An unset value is considered a 0 priority. If scores // for multiple SCCs are equal they will be sorted from most restrictive to // least restrictive. If both priorities and restrictions are equal the // SCCs will be sorted by name. Priority *int32 // AllowPrivilegedContainer determines if a container can request to be run as privileged. AllowPrivilegedContainer bool // DefaultAddCapabilities is the default set of capabilities that will be added to the container // unless the pod spec specifically drops the capability. You may not list a capabiility in both // DefaultAddCapabilities and RequiredDropCapabilities. DefaultAddCapabilities []kapi.Capability // RequiredDropCapabilities are the capabilities that will be dropped from the container. These // are required to be dropped and cannot be added. RequiredDropCapabilities []kapi.Capability // AllowedCapabilities is a list of capabilities that can be requested to add to the container. // Capabilities in this field maybe added at the pod author's discretion. // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. // To allow all capabilities you may use '*'. AllowedCapabilities []kapi.Capability // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". // To allow no volumes, set to ["none"]. Volumes []FSType // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "Volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. AllowHostNetwork bool // AllowHostPorts determines if the policy allows host ports in the containers. AllowHostPorts bool // AllowHostPID determines if the policy allows host pid in the containers. AllowHostPID bool // AllowHostIPC determines if the policy allows host ipc in the containers. AllowHostIPC bool // SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. SELinuxContext SELinuxContextStrategyOptions // RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. RunAsUser RunAsUserStrategyOptions // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. SupplementalGroups SupplementalGroupsStrategyOptions // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. FSGroup FSGroupStrategyOptions // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the SCC should deny the pod. // If set to false the container may run with a read only root file system if it wishes but it // will not be forced to. ReadOnlyRootFilesystem bool // SeccompProfiles lists the allowed profiles that may be set for the pod or // container's seccomp annotations. An unset (nil) or empty value means that no profiles may // be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When // used to generate a value for a pod the first non-wildcard profile will be used as // the default. SeccompProfiles []string // The users who have permissions to use this security context constraints Users []string // The groups that have permission to use this security context constraints Groups []string }
SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container.
func (*SecurityContextConstraints) DeepCopy ¶
func (in *SecurityContextConstraints) DeepCopy() *SecurityContextConstraints
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraints.
func (*SecurityContextConstraints) DeepCopyInto ¶
func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstraints)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityContextConstraints) DeepCopyObject ¶
func (in *SecurityContextConstraints) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SecurityContextConstraintsList ¶
type SecurityContextConstraintsList struct { metav1.TypeMeta metav1.ListMeta Items []SecurityContextConstraints }
SecurityContextConstraintsList is a list of SecurityContextConstraints objects
func (*SecurityContextConstraintsList) DeepCopy ¶
func (in *SecurityContextConstraintsList) DeepCopy() *SecurityContextConstraintsList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraintsList.
func (*SecurityContextConstraintsList) DeepCopyInto ¶
func (in *SecurityContextConstraintsList) DeepCopyInto(out *SecurityContextConstraintsList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityContextConstraintsList) DeepCopyObject ¶
func (in *SecurityContextConstraintsList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ServiceAccountPodSecurityPolicyReviewStatus ¶
type ServiceAccountPodSecurityPolicyReviewStatus struct { PodSecurityPolicySubjectReviewStatus // Name contains the allowed and the denied ServiceAccount name Name string }
ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
func (*ServiceAccountPodSecurityPolicyReviewStatus) DeepCopy ¶
func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopy() *ServiceAccountPodSecurityPolicyReviewStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountPodSecurityPolicyReviewStatus.
func (*ServiceAccountPodSecurityPolicyReviewStatus) DeepCopyInto ¶
func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopyInto(out *ServiceAccountPodSecurityPolicyReviewStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SupplementalGroupsStrategyOptions ¶
type SupplementalGroupsStrategyOptions struct { // Type is the strategy that will dictate what supplemental groups is used in the SecurityContext. Type SupplementalGroupsStrategyType // Ranges are the allowed ranges of supplemental groups. If you would like to force a single // supplemental group then supply a single range with the same start and end. Ranges []IDRange }
SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
func (*SupplementalGroupsStrategyOptions) DeepCopy ¶
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
func (*SupplementalGroupsStrategyOptions) DeepCopyInto ¶
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SupplementalGroupsStrategyType ¶
type SupplementalGroupsStrategyType string
SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.
Directories ¶
Path | Synopsis |
---|---|
+groupName=security.openshift.io Package v1 is the v1 version of the API.
|
+groupName=security.openshift.io Package v1 is the v1 version of the API. |