v1beta1

package
v1.2.6 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 25, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var File_k8s_io_api_policy_v1beta1_generated_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type AllowedCSIDriver added in v1.2.4 

type AllowedCSIDriver struct {

	// Name is the registered name of the CSI driver
	Name *string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
	// contains filtered or unexported fields
}

AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.

func (*AllowedCSIDriver) Descriptor deprecated added in v1.2.4 

func (*AllowedCSIDriver) Descriptor() ([]byte, []int)

Deprecated: Use AllowedCSIDriver.ProtoReflect.Descriptor instead.

func (*AllowedCSIDriver) GetName added in v1.2.4 

func (x *AllowedCSIDriver) GetName() string

func (*AllowedCSIDriver) ProtoMessage added in v1.2.4 

func (*AllowedCSIDriver) ProtoMessage()

func (*AllowedCSIDriver) ProtoReflect added in v1.2.4 

func (x *AllowedCSIDriver) ProtoReflect() protoreflect.Message

func (*AllowedCSIDriver) Reset added in v1.2.4 

func (x *AllowedCSIDriver) Reset()

func (*AllowedCSIDriver) String added in v1.2.4 

func (x *AllowedCSIDriver) String() string

type AllowedFlexVolume added in v1.1.0 

type AllowedFlexVolume struct {

	// driver is the name of the Flexvolume driver.
	Driver *string `protobuf:"bytes,1,opt,name=driver" json:"driver,omitempty"`
	// contains filtered or unexported fields
}

AllowedFlexVolume represents a single Flexvolume that is allowed to be used.

func (*AllowedFlexVolume) Descriptor deprecated added in v1.1.0 

func (*AllowedFlexVolume) Descriptor() ([]byte, []int)

Deprecated: Use AllowedFlexVolume.ProtoReflect.Descriptor instead.

func (*AllowedFlexVolume) GetDriver added in v1.1.0 

func (x *AllowedFlexVolume) GetDriver() string

func (*AllowedFlexVolume) ProtoMessage added in v1.1.0 

func (*AllowedFlexVolume) ProtoMessage()

func (*AllowedFlexVolume) ProtoReflect added in v1.2.4 

func (x *AllowedFlexVolume) ProtoReflect() protoreflect.Message

func (*AllowedFlexVolume) Reset added in v1.1.0 

func (x *AllowedFlexVolume) Reset()

func (*AllowedFlexVolume) String added in v1.1.0 

func (x *AllowedFlexVolume) String() string

type AllowedHostPath added in v1.1.0 

type AllowedHostPath struct {

	// pathPrefix is the path prefix that the host volume must match.
	// It does not support `*`.
	// Trailing slashes are trimmed when validating the path prefix with a host path.
	//
	// Examples:
	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
	// `/foo` would not allow `/food` or `/etc/foo`
	PathPrefix *string `protobuf:"bytes,1,opt,name=pathPrefix" json:"pathPrefix,omitempty"`
	// when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
	// +optional
	ReadOnly *bool `protobuf:"varint,2,opt,name=readOnly" json:"readOnly,omitempty"`
	// contains filtered or unexported fields
}

AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.

func (*AllowedHostPath) Descriptor deprecated added in v1.1.0 

func (*AllowedHostPath) Descriptor() ([]byte, []int)

Deprecated: Use AllowedHostPath.ProtoReflect.Descriptor instead.

func (*AllowedHostPath) GetPathPrefix added in v1.1.0 

func (x *AllowedHostPath) GetPathPrefix() string

func (*AllowedHostPath) GetReadOnly added in v1.2.4 

func (x *AllowedHostPath) GetReadOnly() bool

func (*AllowedHostPath) ProtoMessage added in v1.1.0 

func (*AllowedHostPath) ProtoMessage()

func (*AllowedHostPath) ProtoReflect added in v1.2.4 

func (x *AllowedHostPath) ProtoReflect() protoreflect.Message

func (*AllowedHostPath) Reset added in v1.1.0 

func (x *AllowedHostPath) Reset()

func (*AllowedHostPath) String added in v1.1.0 

func (x *AllowedHostPath) String() string

type Eviction 

type Eviction struct {

	// ObjectMeta describes the pod that is being evicted.
	// +optional
	Metadata *v1.ObjectMeta `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
	// DeleteOptions may be provided
	// +optional
	DeleteOptions *v1.DeleteOptions `protobuf:"bytes,2,opt,name=deleteOptions" json:"deleteOptions,omitempty"`
	// contains filtered or unexported fields
}

Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/evictions.

func (*Eviction) Descriptor deprecated 

func (*Eviction) Descriptor() ([]byte, []int)

Deprecated: Use Eviction.ProtoReflect.Descriptor instead.

func (*Eviction) GetDeleteOptions 

func (x *Eviction) GetDeleteOptions() *v1.DeleteOptions

func (*Eviction) GetMetadata 

func (x *Eviction) GetMetadata() *v1.ObjectMeta

func (*Eviction) ProtoMessage 

func (*Eviction) ProtoMessage()

func (*Eviction) ProtoReflect added in v1.2.4 

func (x *Eviction) ProtoReflect() protoreflect.Message

func (*Eviction) Reset 

func (x *Eviction) Reset()

func (*Eviction) String 

func (x *Eviction) String() string

type FSGroupStrategyOptions added in v1.1.0 

type FSGroupStrategyOptions struct {

	// rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
	// +optional
	Rule *string `protobuf:"bytes,1,opt,name=rule" json:"rule,omitempty"`
	// ranges are the allowed ranges of fs groups.  If you would like to force a single
	// fs group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []*IDRange `protobuf:"bytes,2,rep,name=ranges" json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

func (*FSGroupStrategyOptions) Descriptor deprecated added in v1.1.0 

func (*FSGroupStrategyOptions) Descriptor() ([]byte, []int)

Deprecated: Use FSGroupStrategyOptions.ProtoReflect.Descriptor instead.

func (*FSGroupStrategyOptions) GetRanges added in v1.1.0 

func (x *FSGroupStrategyOptions) GetRanges() []*IDRange

func (*FSGroupStrategyOptions) GetRule added in v1.1.0 

func (x *FSGroupStrategyOptions) GetRule() string

func (*FSGroupStrategyOptions) ProtoMessage added in v1.1.0 

func (*FSGroupStrategyOptions) ProtoMessage()

func (*FSGroupStrategyOptions) ProtoReflect added in v1.2.4 

func (x *FSGroupStrategyOptions) ProtoReflect() protoreflect.Message

func (*FSGroupStrategyOptions) Reset added in v1.1.0 

func (x *FSGroupStrategyOptions) Reset()

func (*FSGroupStrategyOptions) String added in v1.1.0 

func (x *FSGroupStrategyOptions) String() string

type HostPortRange added in v1.1.0 

type HostPortRange struct {

	// min is the start of the range, inclusive.
	Min *int32 `protobuf:"varint,1,opt,name=min" json:"min,omitempty"`
	// max is the end of the range, inclusive.
	Max *int32 `protobuf:"varint,2,opt,name=max" json:"max,omitempty"`
	// contains filtered or unexported fields
}

HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.

func (*HostPortRange) Descriptor deprecated added in v1.1.0 

func (*HostPortRange) Descriptor() ([]byte, []int)

Deprecated: Use HostPortRange.ProtoReflect.Descriptor instead.

func (*HostPortRange) GetMax added in v1.1.0 

func (x *HostPortRange) GetMax() int32

func (*HostPortRange) GetMin added in v1.1.0 

func (x *HostPortRange) GetMin() int32

func (*HostPortRange) ProtoMessage added in v1.1.0 

func (*HostPortRange) ProtoMessage()

func (*HostPortRange) ProtoReflect added in v1.2.4 

func (x *HostPortRange) ProtoReflect() protoreflect.Message

func (*HostPortRange) Reset added in v1.1.0 

func (x *HostPortRange) Reset()

func (*HostPortRange) String added in v1.1.0 

func (x *HostPortRange) String() string

type IDRange added in v1.1.0 

type IDRange struct {

	// min is the start of the range, inclusive.
	Min *int64 `protobuf:"varint,1,opt,name=min" json:"min,omitempty"`
	// max is the end of the range, inclusive.
	Max *int64 `protobuf:"varint,2,opt,name=max" json:"max,omitempty"`
	// contains filtered or unexported fields
}

IDRange provides a min/max of an allowed range of IDs.

func (*IDRange) Descriptor deprecated added in v1.1.0 

func (*IDRange) Descriptor() ([]byte, []int)

Deprecated: Use IDRange.ProtoReflect.Descriptor instead.

func (*IDRange) GetMax added in v1.1.0 

func (x *IDRange) GetMax() int64

func (*IDRange) GetMin added in v1.1.0 

func (x *IDRange) GetMin() int64

func (*IDRange) ProtoMessage added in v1.1.0 

func (*IDRange) ProtoMessage()

func (*IDRange) ProtoReflect added in v1.2.4 

func (x *IDRange) ProtoReflect() protoreflect.Message

func (*IDRange) Reset added in v1.1.0 

func (x *IDRange) Reset()

func (*IDRange) String added in v1.1.0 

func (x *IDRange) String() string

type PodDisruptionBudget 

type PodDisruptionBudget struct {

	// +optional
	Metadata *v1.ObjectMeta `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
	// Specification of the desired behavior of the PodDisruptionBudget.
	// +optional
	Spec *PodDisruptionBudgetSpec `protobuf:"bytes,2,opt,name=spec" json:"spec,omitempty"`
	// Most recently observed status of the PodDisruptionBudget.
	// +optional
	Status *PodDisruptionBudgetStatus `protobuf:"bytes,3,opt,name=status" json:"status,omitempty"`
	// contains filtered or unexported fields
}

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods

func (*PodDisruptionBudget) Descriptor deprecated 

func (*PodDisruptionBudget) Descriptor() ([]byte, []int)

Deprecated: Use PodDisruptionBudget.ProtoReflect.Descriptor instead.

func (*PodDisruptionBudget) GetMetadata 

func (x *PodDisruptionBudget) GetMetadata() *v1.ObjectMeta

func (*PodDisruptionBudget) GetSpec 

func (x *PodDisruptionBudget) GetSpec() *PodDisruptionBudgetSpec

func (*PodDisruptionBudget) GetStatus 

func (x *PodDisruptionBudget) GetStatus() *PodDisruptionBudgetStatus

func (*PodDisruptionBudget) ProtoMessage 

func (*PodDisruptionBudget) ProtoMessage()

func (*PodDisruptionBudget) ProtoReflect added in v1.2.4 

func (x *PodDisruptionBudget) ProtoReflect() protoreflect.Message

func (*PodDisruptionBudget) Reset 

func (x *PodDisruptionBudget) Reset()

func (*PodDisruptionBudget) String 

func (x *PodDisruptionBudget) String() string

type PodDisruptionBudgetList 

type PodDisruptionBudgetList struct {

	// +optional
	Metadata *v1.ListMeta           `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
	Items    []*PodDisruptionBudget `protobuf:"bytes,2,rep,name=items" json:"items,omitempty"`
	// contains filtered or unexported fields
}

PodDisruptionBudgetList is a collection of PodDisruptionBudgets.

func (*PodDisruptionBudgetList) Descriptor deprecated 

func (*PodDisruptionBudgetList) Descriptor() ([]byte, []int)

Deprecated: Use PodDisruptionBudgetList.ProtoReflect.Descriptor instead.

func (*PodDisruptionBudgetList) GetItems 

func (x *PodDisruptionBudgetList) GetItems() []*PodDisruptionBudget

func (*PodDisruptionBudgetList) GetMetadata 

func (x *PodDisruptionBudgetList) GetMetadata() *v1.ListMeta

func (*PodDisruptionBudgetList) ProtoMessage 

func (*PodDisruptionBudgetList) ProtoMessage()

func (*PodDisruptionBudgetList) ProtoReflect added in v1.2.4 

func (x *PodDisruptionBudgetList) ProtoReflect() protoreflect.Message

func (*PodDisruptionBudgetList) Reset 

func (x *PodDisruptionBudgetList) Reset()

func (*PodDisruptionBudgetList) String 

func (x *PodDisruptionBudgetList) String() string

type PodDisruptionBudgetSpec 

type PodDisruptionBudgetSpec struct {

	// An eviction is allowed if at least "minAvailable" pods selected by
	// "selector" will still be available after the eviction, i.e. even in the
	// absence of the evicted pod.  So for example you can prevent all voluntary
	// evictions by specifying "100%".
	// +optional
	MinAvailable *intstr.IntOrString `protobuf:"bytes,1,opt,name=minAvailable" json:"minAvailable,omitempty"`
	// Label query over pods whose evictions are managed by the disruption
	// budget.
	// +optional
	Selector *v1.LabelSelector `protobuf:"bytes,2,opt,name=selector" json:"selector,omitempty"`
	// An eviction is allowed if at most "maxUnavailable" pods selected by
	// "selector" are unavailable after the eviction, i.e. even in absence of
	// the evicted pod. For example, one can prevent all voluntary evictions
	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
	// +optional
	MaxUnavailable *intstr.IntOrString `protobuf:"bytes,3,opt,name=maxUnavailable" json:"maxUnavailable,omitempty"`
	// contains filtered or unexported fields
}

PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.

func (*PodDisruptionBudgetSpec) Descriptor deprecated 

func (*PodDisruptionBudgetSpec) Descriptor() ([]byte, []int)

Deprecated: Use PodDisruptionBudgetSpec.ProtoReflect.Descriptor instead.

func (*PodDisruptionBudgetSpec) GetMaxUnavailable added in v1.0.0 

func (x *PodDisruptionBudgetSpec) GetMaxUnavailable() *intstr.IntOrString

func (*PodDisruptionBudgetSpec) GetMinAvailable 

func (x *PodDisruptionBudgetSpec) GetMinAvailable() *intstr.IntOrString

func (*PodDisruptionBudgetSpec) GetSelector 

func (x *PodDisruptionBudgetSpec) GetSelector() *v1.LabelSelector

func (*PodDisruptionBudgetSpec) ProtoMessage 

func (*PodDisruptionBudgetSpec) ProtoMessage()

func (*PodDisruptionBudgetSpec) ProtoReflect added in v1.2.4 

func (x *PodDisruptionBudgetSpec) ProtoReflect() protoreflect.Message

func (*PodDisruptionBudgetSpec) Reset 

func (x *PodDisruptionBudgetSpec) Reset()

func (*PodDisruptionBudgetSpec) String 

func (x *PodDisruptionBudgetSpec) String() string

type PodDisruptionBudgetStatus 

type PodDisruptionBudgetStatus struct {

	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
	// status information is valid only if observedGeneration equals to PDB's object generation.
	// +optional
	ObservedGeneration *int64 `protobuf:"varint,1,opt,name=observedGeneration" json:"observedGeneration,omitempty"`
	// DisruptedPods contains information about pods whose eviction was
	// processed by the API server eviction subresource handler but has not
	// yet been observed by the PodDisruptionBudget controller.
	// A pod will be in this map from the time when the API server processed the
	// eviction request to the time when the pod is seen by PDB controller
	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
	// and the value is the time when the API server processed the eviction request. If
	// the deletion didn't occur and a pod is still there it will be removed from
	// the list automatically by PodDisruptionBudget controller after some time.
	// If everything goes smooth this map should be empty for the most of the time.
	// Large number of entries in the map may indicate problems with pod deletions.
	// +optional
	DisruptedPods map[string]*v1.Time `` /* 146-byte string literal not displayed */
	// Number of pod disruptions that are currently allowed.
	DisruptionsAllowed *int32 `protobuf:"varint,3,opt,name=disruptionsAllowed" json:"disruptionsAllowed,omitempty"`
	// current number of healthy pods
	CurrentHealthy *int32 `protobuf:"varint,4,opt,name=currentHealthy" json:"currentHealthy,omitempty"`
	// minimum desired number of healthy pods
	DesiredHealthy *int32 `protobuf:"varint,5,opt,name=desiredHealthy" json:"desiredHealthy,omitempty"`
	// total number of pods counted by this disruption budget
	ExpectedPods *int32 `protobuf:"varint,6,opt,name=expectedPods" json:"expectedPods,omitempty"`
	// contains filtered or unexported fields
}

PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.

func (*PodDisruptionBudgetStatus) Descriptor deprecated 

func (*PodDisruptionBudgetStatus) Descriptor() ([]byte, []int)

Deprecated: Use PodDisruptionBudgetStatus.ProtoReflect.Descriptor instead.

func (*PodDisruptionBudgetStatus) GetCurrentHealthy 

func (x *PodDisruptionBudgetStatus) GetCurrentHealthy() int32

func (*PodDisruptionBudgetStatus) GetDesiredHealthy 

func (x *PodDisruptionBudgetStatus) GetDesiredHealthy() int32

func (*PodDisruptionBudgetStatus) GetDisruptedPods 

func (x *PodDisruptionBudgetStatus) GetDisruptedPods() map[string]*v1.Time

func (*PodDisruptionBudgetStatus) GetDisruptionsAllowed 

func (x *PodDisruptionBudgetStatus) GetDisruptionsAllowed() int32

func (*PodDisruptionBudgetStatus) GetExpectedPods 

func (x *PodDisruptionBudgetStatus) GetExpectedPods() int32

func (*PodDisruptionBudgetStatus) GetObservedGeneration 

func (x *PodDisruptionBudgetStatus) GetObservedGeneration() int64

func (*PodDisruptionBudgetStatus) ProtoMessage 

func (*PodDisruptionBudgetStatus) ProtoMessage()

func (*PodDisruptionBudgetStatus) ProtoReflect added in v1.2.4 

func (x *PodDisruptionBudgetStatus) ProtoReflect() protoreflect.Message

func (*PodDisruptionBudgetStatus) Reset 

func (x *PodDisruptionBudgetStatus) Reset()

func (*PodDisruptionBudgetStatus) String 

func (x *PodDisruptionBudgetStatus) String() string

type PodSecurityPolicy added in v1.1.0 

type PodSecurityPolicy struct {

	// Standard object's metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	Metadata *v1.ObjectMeta `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
	// spec defines the policy enforced.
	// +optional
	Spec *PodSecurityPolicySpec `protobuf:"bytes,2,opt,name=spec" json:"spec,omitempty"`
	// contains filtered or unexported fields
}

PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container.

func (*PodSecurityPolicy) Descriptor deprecated added in v1.1.0 

func (*PodSecurityPolicy) Descriptor() ([]byte, []int)

Deprecated: Use PodSecurityPolicy.ProtoReflect.Descriptor instead.

func (*PodSecurityPolicy) GetMetadata added in v1.1.0 

func (x *PodSecurityPolicy) GetMetadata() *v1.ObjectMeta

func (*PodSecurityPolicy) GetSpec added in v1.1.0 

func (x *PodSecurityPolicy) GetSpec() *PodSecurityPolicySpec

func (*PodSecurityPolicy) ProtoMessage added in v1.1.0 

func (*PodSecurityPolicy) ProtoMessage()

func (*PodSecurityPolicy) ProtoReflect added in v1.2.4 

func (x *PodSecurityPolicy) ProtoReflect() protoreflect.Message

func (*PodSecurityPolicy) Reset added in v1.1.0 

func (x *PodSecurityPolicy) Reset()

func (*PodSecurityPolicy) String added in v1.1.0 

func (x *PodSecurityPolicy) String() string

type PodSecurityPolicyList added in v1.1.0 

type PodSecurityPolicyList struct {

	// Standard list metadata.
	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
	// +optional
	Metadata *v1.ListMeta `protobuf:"bytes,1,opt,name=metadata" json:"metadata,omitempty"`
	// items is a list of schema objects.
	Items []*PodSecurityPolicy `protobuf:"bytes,2,rep,name=items" json:"items,omitempty"`
	// contains filtered or unexported fields
}

PodSecurityPolicyList is a list of PodSecurityPolicy objects.

func (*PodSecurityPolicyList) Descriptor deprecated added in v1.1.0 

func (*PodSecurityPolicyList) Descriptor() ([]byte, []int)

Deprecated: Use PodSecurityPolicyList.ProtoReflect.Descriptor instead.

func (*PodSecurityPolicyList) GetItems added in v1.1.0 

func (x *PodSecurityPolicyList) GetItems() []*PodSecurityPolicy

func (*PodSecurityPolicyList) GetMetadata added in v1.1.0 

func (x *PodSecurityPolicyList) GetMetadata() *v1.ListMeta

func (*PodSecurityPolicyList) ProtoMessage added in v1.1.0 

func (*PodSecurityPolicyList) ProtoMessage()

func (*PodSecurityPolicyList) ProtoReflect added in v1.2.4 

func (x *PodSecurityPolicyList) ProtoReflect() protoreflect.Message

func (*PodSecurityPolicyList) Reset added in v1.1.0 

func (x *PodSecurityPolicyList) Reset()

func (*PodSecurityPolicyList) String added in v1.1.0 

func (x *PodSecurityPolicyList) String() string

type PodSecurityPolicySpec added in v1.1.0 

type PodSecurityPolicySpec struct {

	// privileged determines if a pod can request to be run as privileged.
	// +optional
	Privileged *bool `protobuf:"varint,1,opt,name=privileged" json:"privileged,omitempty"`
	// defaultAddCapabilities is the default set of capabilities that will be added to the container
	// unless the pod spec specifically drops the capability.  You may not list a capability in both
	// defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly
	// allowed, and need not be included in the allowedCapabilities list.
	// +optional
	DefaultAddCapabilities []string `protobuf:"bytes,2,rep,name=defaultAddCapabilities" json:"defaultAddCapabilities,omitempty"`
	// requiredDropCapabilities are the capabilities that will be dropped from the container.  These
	// are required to be dropped and cannot be added.
	// +optional
	RequiredDropCapabilities []string `protobuf:"bytes,3,rep,name=requiredDropCapabilities" json:"requiredDropCapabilities,omitempty"`
	// allowedCapabilities is a list of capabilities that can be requested to add to the container.
	// Capabilities in this field may be added at the pod author's discretion.
	// You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
	// +optional
	AllowedCapabilities []string `protobuf:"bytes,4,rep,name=allowedCapabilities" json:"allowedCapabilities,omitempty"`
	// volumes is an allowlist of volume plugins. Empty indicates that
	// no volumes may be used. To allow all volumes you may use '*'.
	// +optional
	Volumes []string `protobuf:"bytes,5,rep,name=volumes" json:"volumes,omitempty"`
	// hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
	// +optional
	HostNetwork *bool `protobuf:"varint,6,opt,name=hostNetwork" json:"hostNetwork,omitempty"`
	// hostPorts determines which host port ranges are allowed to be exposed.
	// +optional
	HostPorts []*HostPortRange `protobuf:"bytes,7,rep,name=hostPorts" json:"hostPorts,omitempty"`
	// hostPID determines if the policy allows the use of HostPID in the pod spec.
	// +optional
	HostPID *bool `protobuf:"varint,8,opt,name=hostPID" json:"hostPID,omitempty"`
	// hostIPC determines if the policy allows the use of HostIPC in the pod spec.
	// +optional
	HostIPC *bool `protobuf:"varint,9,opt,name=hostIPC" json:"hostIPC,omitempty"`
	// seLinux is the strategy that will dictate the allowable labels that may be set.
	SeLinux *SELinuxStrategyOptions `protobuf:"bytes,10,opt,name=seLinux" json:"seLinux,omitempty"`
	// runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
	RunAsUser *RunAsUserStrategyOptions `protobuf:"bytes,11,opt,name=runAsUser" json:"runAsUser,omitempty"`
	// RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
	// If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
	// RunAsGroup feature gate to be enabled.
	// +optional
	RunAsGroup *RunAsGroupStrategyOptions `protobuf:"bytes,22,opt,name=runAsGroup" json:"runAsGroup,omitempty"`
	// supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
	SupplementalGroups *SupplementalGroupsStrategyOptions `protobuf:"bytes,12,opt,name=supplementalGroups" json:"supplementalGroups,omitempty"`
	// fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
	FsGroup *FSGroupStrategyOptions `protobuf:"bytes,13,opt,name=fsGroup" json:"fsGroup,omitempty"`
	// readOnlyRootFilesystem when set to true will force containers to run with a read only root file
	// system.  If the container specifically requests to run with a non-read only root file system
	// the PSP should deny the pod.
	// If set to false the container may run with a read only root file system if it wishes but it
	// will not be forced to.
	// +optional
	ReadOnlyRootFilesystem *bool `protobuf:"varint,14,opt,name=readOnlyRootFilesystem" json:"readOnlyRootFilesystem,omitempty"`
	// defaultAllowPrivilegeEscalation controls the default setting for whether a
	// process can gain more privileges than its parent process.
	// +optional
	DefaultAllowPrivilegeEscalation *bool `protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation" json:"defaultAllowPrivilegeEscalation,omitempty"`
	// allowPrivilegeEscalation determines if a pod can request to allow
	// privilege escalation. If unspecified, defaults to true.
	// +optional
	AllowPrivilegeEscalation *bool `protobuf:"varint,16,opt,name=allowPrivilegeEscalation" json:"allowPrivilegeEscalation,omitempty"`
	// allowedHostPaths is an allowlist of host paths. Empty indicates
	// that all host paths may be used.
	// +optional
	AllowedHostPaths []*AllowedHostPath `protobuf:"bytes,17,rep,name=allowedHostPaths" json:"allowedHostPaths,omitempty"`
	// allowedFlexVolumes is an allowlist of Flexvolumes.  Empty or nil indicates that all
	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
	// is allowed in the "volumes" field.
	// +optional
	AllowedFlexVolumes []*AllowedFlexVolume `protobuf:"bytes,18,rep,name=allowedFlexVolumes" json:"allowedFlexVolumes,omitempty"`
	// AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
	// An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
	// This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.
	// +optional
	AllowedCSIDrivers []*AllowedCSIDriver `protobuf:"bytes,23,rep,name=allowedCSIDrivers" json:"allowedCSIDrivers,omitempty"`
	// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
	// Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
	//
	// Examples:
	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
	// +optional
	AllowedUnsafeSysctls []string `protobuf:"bytes,19,rep,name=allowedUnsafeSysctls" json:"allowedUnsafeSysctls,omitempty"`
	// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
	//
	// Examples:
	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
	// +optional
	ForbiddenSysctls []string `protobuf:"bytes,20,rep,name=forbiddenSysctls" json:"forbiddenSysctls,omitempty"`
	// AllowedProcMountTypes is an allowlist of allowed ProcMountTypes.
	// Empty or nil indicates that only the DefaultProcMountType may be used.
	// This requires the ProcMountType feature flag to be enabled.
	// +optional
	AllowedProcMountTypes []string `protobuf:"bytes,21,rep,name=allowedProcMountTypes" json:"allowedProcMountTypes,omitempty"`
	// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
	// If this field is omitted, the pod's runtimeClassName field is unrestricted.
	// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
	// +optional
	RuntimeClass *RuntimeClassStrategyOptions `protobuf:"bytes,24,opt,name=runtimeClass" json:"runtimeClass,omitempty"`
	// contains filtered or unexported fields
}

PodSecurityPolicySpec defines the policy enforced.

func (*PodSecurityPolicySpec) Descriptor deprecated added in v1.1.0 

func (*PodSecurityPolicySpec) Descriptor() ([]byte, []int)

Deprecated: Use PodSecurityPolicySpec.ProtoReflect.Descriptor instead.

func (*PodSecurityPolicySpec) GetAllowPrivilegeEscalation added in v1.1.0 

func (x *PodSecurityPolicySpec) GetAllowPrivilegeEscalation() bool

func (*PodSecurityPolicySpec) GetAllowedCSIDrivers added in v1.2.4 

func (x *PodSecurityPolicySpec) GetAllowedCSIDrivers() []*AllowedCSIDriver

func (*PodSecurityPolicySpec) GetAllowedCapabilities added in v1.1.0 

func (x *PodSecurityPolicySpec) GetAllowedCapabilities() []string

func (*PodSecurityPolicySpec) GetAllowedFlexVolumes added in v1.1.0 

func (x *PodSecurityPolicySpec) GetAllowedFlexVolumes() []*AllowedFlexVolume

func (*PodSecurityPolicySpec) GetAllowedHostPaths added in v1.1.0 

func (x *PodSecurityPolicySpec) GetAllowedHostPaths() []*AllowedHostPath

func (*PodSecurityPolicySpec) GetAllowedProcMountTypes added in v1.2.4 

func (x *PodSecurityPolicySpec) GetAllowedProcMountTypes() []string

func (*PodSecurityPolicySpec) GetAllowedUnsafeSysctls added in v1.2.4 

func (x *PodSecurityPolicySpec) GetAllowedUnsafeSysctls() []string

func (*PodSecurityPolicySpec) GetDefaultAddCapabilities added in v1.1.0 

func (x *PodSecurityPolicySpec) GetDefaultAddCapabilities() []string

func (*PodSecurityPolicySpec) GetDefaultAllowPrivilegeEscalation added in v1.1.0 

func (x *PodSecurityPolicySpec) GetDefaultAllowPrivilegeEscalation() bool

func (*PodSecurityPolicySpec) GetForbiddenSysctls added in v1.2.4 

func (x *PodSecurityPolicySpec) GetForbiddenSysctls() []string

func (*PodSecurityPolicySpec) GetFsGroup added in v1.1.0 

func (x *PodSecurityPolicySpec) GetFsGroup() *FSGroupStrategyOptions

func (*PodSecurityPolicySpec) GetHostIPC added in v1.1.0 

func (x *PodSecurityPolicySpec) GetHostIPC() bool

func (*PodSecurityPolicySpec) GetHostNetwork added in v1.1.0 

func (x *PodSecurityPolicySpec) GetHostNetwork() bool

func (*PodSecurityPolicySpec) GetHostPID added in v1.1.0 

func (x *PodSecurityPolicySpec) GetHostPID() bool

func (*PodSecurityPolicySpec) GetHostPorts added in v1.1.0 

func (x *PodSecurityPolicySpec) GetHostPorts() []*HostPortRange

func (*PodSecurityPolicySpec) GetPrivileged added in v1.1.0 

func (x *PodSecurityPolicySpec) GetPrivileged() bool

func (*PodSecurityPolicySpec) GetReadOnlyRootFilesystem added in v1.1.0 

func (x *PodSecurityPolicySpec) GetReadOnlyRootFilesystem() bool

func (*PodSecurityPolicySpec) GetRequiredDropCapabilities added in v1.1.0 

func (x *PodSecurityPolicySpec) GetRequiredDropCapabilities() []string

func (*PodSecurityPolicySpec) GetRunAsGroup added in v1.2.4 

func (x *PodSecurityPolicySpec) GetRunAsGroup() *RunAsGroupStrategyOptions

func (*PodSecurityPolicySpec) GetRunAsUser added in v1.1.0 

func (x *PodSecurityPolicySpec) GetRunAsUser() *RunAsUserStrategyOptions

func (*PodSecurityPolicySpec) GetRuntimeClass added in v1.2.4 

func (x *PodSecurityPolicySpec) GetRuntimeClass() *RuntimeClassStrategyOptions

func (*PodSecurityPolicySpec) GetSeLinux added in v1.1.0 

func (x *PodSecurityPolicySpec) GetSeLinux() *SELinuxStrategyOptions

func (*PodSecurityPolicySpec) GetSupplementalGroups added in v1.1.0 

func (x *PodSecurityPolicySpec) GetSupplementalGroups() *SupplementalGroupsStrategyOptions

func (*PodSecurityPolicySpec) GetVolumes added in v1.1.0 

func (x *PodSecurityPolicySpec) GetVolumes() []string

func (*PodSecurityPolicySpec) ProtoMessage added in v1.1.0 

func (*PodSecurityPolicySpec) ProtoMessage()

func (*PodSecurityPolicySpec) ProtoReflect added in v1.2.4 

func (x *PodSecurityPolicySpec) ProtoReflect() protoreflect.Message

func (*PodSecurityPolicySpec) Reset added in v1.1.0 

func (x *PodSecurityPolicySpec) Reset()

func (*PodSecurityPolicySpec) String added in v1.1.0 

func (x *PodSecurityPolicySpec) String() string

type RunAsGroupStrategyOptions added in v1.2.4 

type RunAsGroupStrategyOptions struct {

	// rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
	Rule *string `protobuf:"bytes,1,opt,name=rule" json:"rule,omitempty"`
	// ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []*IDRange `protobuf:"bytes,2,rep,name=ranges" json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsGroupStrategyOptions) Descriptor deprecated added in v1.2.4 

func (*RunAsGroupStrategyOptions) Descriptor() ([]byte, []int)

Deprecated: Use RunAsGroupStrategyOptions.ProtoReflect.Descriptor instead.

func (*RunAsGroupStrategyOptions) GetRanges added in v1.2.4 

func (x *RunAsGroupStrategyOptions) GetRanges() []*IDRange

func (*RunAsGroupStrategyOptions) GetRule added in v1.2.4 

func (x *RunAsGroupStrategyOptions) GetRule() string

func (*RunAsGroupStrategyOptions) ProtoMessage added in v1.2.4 

func (*RunAsGroupStrategyOptions) ProtoMessage()

func (*RunAsGroupStrategyOptions) ProtoReflect added in v1.2.4 

func (x *RunAsGroupStrategyOptions) ProtoReflect() protoreflect.Message

func (*RunAsGroupStrategyOptions) Reset added in v1.2.4 

func (x *RunAsGroupStrategyOptions) Reset()

func (*RunAsGroupStrategyOptions) String added in v1.2.4 

func (x *RunAsGroupStrategyOptions) String() string

type RunAsUserStrategyOptions added in v1.1.0 

type RunAsUserStrategyOptions struct {

	// rule is the strategy that will dictate the allowable RunAsUser values that may be set.
	Rule *string `protobuf:"bytes,1,opt,name=rule" json:"rule,omitempty"`
	// ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []*IDRange `protobuf:"bytes,2,rep,name=ranges" json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsUserStrategyOptions) Descriptor deprecated added in v1.1.0 

func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int)

Deprecated: Use RunAsUserStrategyOptions.ProtoReflect.Descriptor instead.

func (*RunAsUserStrategyOptions) GetRanges added in v1.1.0 

func (x *RunAsUserStrategyOptions) GetRanges() []*IDRange

func (*RunAsUserStrategyOptions) GetRule added in v1.1.0 

func (x *RunAsUserStrategyOptions) GetRule() string

func (*RunAsUserStrategyOptions) ProtoMessage added in v1.1.0 

func (*RunAsUserStrategyOptions) ProtoMessage()

func (*RunAsUserStrategyOptions) ProtoReflect added in v1.2.4 

func (x *RunAsUserStrategyOptions) ProtoReflect() protoreflect.Message

func (*RunAsUserStrategyOptions) Reset added in v1.1.0 

func (x *RunAsUserStrategyOptions) Reset()

func (*RunAsUserStrategyOptions) String added in v1.1.0 

func (x *RunAsUserStrategyOptions) String() string

type RuntimeClassStrategyOptions added in v1.2.4 

type RuntimeClassStrategyOptions struct {

	// allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod.
	// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
	// list. An empty list requires the RuntimeClassName field to be unset.
	AllowedRuntimeClassNames []string `protobuf:"bytes,1,rep,name=allowedRuntimeClassNames" json:"allowedRuntimeClassNames,omitempty"`
	// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
	// The default MUST be allowed by the allowedRuntimeClassNames list.
	// A value of nil does not mutate the Pod.
	// +optional
	DefaultRuntimeClassName *string `protobuf:"bytes,2,opt,name=defaultRuntimeClassName" json:"defaultRuntimeClassName,omitempty"`
	// contains filtered or unexported fields
}

RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.

func (*RuntimeClassStrategyOptions) Descriptor deprecated added in v1.2.4 

func (*RuntimeClassStrategyOptions) Descriptor() ([]byte, []int)

Deprecated: Use RuntimeClassStrategyOptions.ProtoReflect.Descriptor instead.

func (*RuntimeClassStrategyOptions) GetAllowedRuntimeClassNames added in v1.2.4 

func (x *RuntimeClassStrategyOptions) GetAllowedRuntimeClassNames() []string

func (*RuntimeClassStrategyOptions) GetDefaultRuntimeClassName added in v1.2.4 

func (x *RuntimeClassStrategyOptions) GetDefaultRuntimeClassName() string

func (*RuntimeClassStrategyOptions) ProtoMessage added in v1.2.4 

func (*RuntimeClassStrategyOptions) ProtoMessage()

func (*RuntimeClassStrategyOptions) ProtoReflect added in v1.2.4 

func (x *RuntimeClassStrategyOptions) ProtoReflect() protoreflect.Message

func (*RuntimeClassStrategyOptions) Reset added in v1.2.4 

func (x *RuntimeClassStrategyOptions) Reset()

func (*RuntimeClassStrategyOptions) String added in v1.2.4 

func (x *RuntimeClassStrategyOptions) String() string

type SELinuxStrategyOptions added in v1.1.0 

type SELinuxStrategyOptions struct {

	// rule is the strategy that will dictate the allowable labels that may be set.
	Rule *string `protobuf:"bytes,1,opt,name=rule" json:"rule,omitempty"`
	// seLinuxOptions required to run as; required for MustRunAs
	// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
	// +optional
	SeLinuxOptions *v11.SELinuxOptions `protobuf:"bytes,2,opt,name=seLinuxOptions" json:"seLinuxOptions,omitempty"`
	// contains filtered or unexported fields
}

SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.

func (*SELinuxStrategyOptions) Descriptor deprecated added in v1.1.0 

func (*SELinuxStrategyOptions) Descriptor() ([]byte, []int)

Deprecated: Use SELinuxStrategyOptions.ProtoReflect.Descriptor instead.

func (*SELinuxStrategyOptions) GetRule added in v1.1.0 

func (x *SELinuxStrategyOptions) GetRule() string

func (*SELinuxStrategyOptions) GetSeLinuxOptions added in v1.1.0 

func (x *SELinuxStrategyOptions) GetSeLinuxOptions() *v11.SELinuxOptions

func (*SELinuxStrategyOptions) ProtoMessage added in v1.1.0 

func (*SELinuxStrategyOptions) ProtoMessage()

func (*SELinuxStrategyOptions) ProtoReflect added in v1.2.4 

func (x *SELinuxStrategyOptions) ProtoReflect() protoreflect.Message

func (*SELinuxStrategyOptions) Reset added in v1.1.0 

func (x *SELinuxStrategyOptions) Reset()

func (*SELinuxStrategyOptions) String added in v1.1.0 

func (x *SELinuxStrategyOptions) String() string

type SupplementalGroupsStrategyOptions added in v1.1.0 

type SupplementalGroupsStrategyOptions struct {

	// rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
	// +optional
	Rule *string `protobuf:"bytes,1,opt,name=rule" json:"rule,omitempty"`
	// ranges are the allowed ranges of supplemental groups.  If you would like to force a single
	// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []*IDRange `protobuf:"bytes,2,rep,name=ranges" json:"ranges,omitempty"`
	// contains filtered or unexported fields
}

SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

func (*SupplementalGroupsStrategyOptions) Descriptor deprecated added in v1.1.0 

func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int)

Deprecated: Use SupplementalGroupsStrategyOptions.ProtoReflect.Descriptor instead.

func (*SupplementalGroupsStrategyOptions) GetRanges added in v1.1.0 

func (x *SupplementalGroupsStrategyOptions) GetRanges() []*IDRange

func (*SupplementalGroupsStrategyOptions) GetRule added in v1.1.0 

func (x *SupplementalGroupsStrategyOptions) GetRule() string

func (*SupplementalGroupsStrategyOptions) ProtoMessage added in v1.1.0 

func (*SupplementalGroupsStrategyOptions) ProtoMessage()

func (*SupplementalGroupsStrategyOptions) ProtoReflect added in v1.2.4 

func (x *SupplementalGroupsStrategyOptions) ProtoReflect() protoreflect.Message

func (*SupplementalGroupsStrategyOptions) Reset added in v1.1.0 

func (x *SupplementalGroupsStrategyOptions) Reset()

func (*SupplementalGroupsStrategyOptions) String added in v1.1.0 

func (x *SupplementalGroupsStrategyOptions) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.