policy

package
v1.28.0-alpha.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2023 License: Apache-2.0 Imports: 5 Imported by: 801

Documentation

Index

Constants

View Source
const AllowAllRuntimeClassNames = "*"

AllowAllRuntimeClassNames can be used as a value for the RuntimeClassStrategyOptions.allowedRuntimeClassNames field and means that any runtimeClassName is allowed.

View Source
const GroupName = "policy"

GroupName is the group name use in this package

View Source
const (
	PDBV1beta1Label = "pdb.kubernetes.io/deprecated-v1beta1-empty-selector-match"
)

Variables

View Source
var (
	NonV1beta1MatchAllSelector  = &metav1.LabelSelector{}
	NonV1beta1MatchNoneSelector = &metav1.LabelSelector{
		MatchExpressions: []metav1.LabelSelectorRequirement{{Key: PDBV1beta1Label, Operator: metav1.LabelSelectorOpExists}},
	}

	V1beta1MatchNoneSelector = &metav1.LabelSelector{}
	V1beta1MatchAllSelector  = &metav1.LabelSelector{
		MatchExpressions: []metav1.LabelSelectorRequirement{{Key: PDBV1beta1Label, Operator: metav1.LabelSelectorOpDoesNotExist}},
	}
)
View Source
var (
	// SchemeBuilder is the scheme builder with scheme init functions to run for this API package
	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
	// AddToScheme is a global function that registers this API group & version to a scheme
	AddToScheme = SchemeBuilder.AddToScheme
)
View Source
var AllowAllCapabilities api.Capability = "*"

AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities field and means that any capabilities are allowed to be requested.

View Source
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}

SchemeGroupVersion is group version used to register these objects

Functions

func Kind

func Kind(kind string) schema.GroupKind

Kind takes an unqualified kind and returns a Group qualified GroupKind

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

func StripPDBV1beta1Label added in v1.21.0

func StripPDBV1beta1Label(selector *metav1.LabelSelector)

Types

type AllowedCSIDriver added in v1.14.0

type AllowedCSIDriver struct {
	// Name is the registered name of the CSI driver
	Name string
}

AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.

func (*AllowedCSIDriver) DeepCopy added in v1.14.0

func (in *AllowedCSIDriver) DeepCopy() *AllowedCSIDriver

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedCSIDriver.

func (*AllowedCSIDriver) DeepCopyInto added in v1.14.0

func (in *AllowedCSIDriver) DeepCopyInto(out *AllowedCSIDriver)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AllowedFlexVolume added in v1.11.0

type AllowedFlexVolume struct {
	// Driver is the name of the Flexvolume driver.
	Driver string
}

AllowedFlexVolume represents a single Flexvolume that is allowed to be used.

func (*AllowedFlexVolume) DeepCopy added in v1.11.0

func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.

func (*AllowedFlexVolume) DeepCopyInto added in v1.11.0

func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AllowedHostPath added in v1.11.0

type AllowedHostPath struct {
	// PathPrefix is the path prefix that the host volume must match.
	// PathPrefix does not support `*`.
	// Trailing slashes are trimmed when validating the path prefix with a host path.
	//
	// Examples:
	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
	// `/foo` would not allow `/food` or `/etc/foo`
	PathPrefix string

	// when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
	ReadOnly bool
}

AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.

func (*AllowedHostPath) DeepCopy added in v1.11.0

func (in *AllowedHostPath) DeepCopy() *AllowedHostPath

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.

func (*AllowedHostPath) DeepCopyInto added in v1.11.0

func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Eviction added in v1.4.0

type Eviction struct {
	metav1.TypeMeta

	// ObjectMeta describes the pod that is being evicted.
	// +optional
	metav1.ObjectMeta

	// DeleteOptions may be provided
	// +optional
	DeleteOptions *metav1.DeleteOptions
}

Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/eviction.

func (*Eviction) DeepCopy added in v1.8.0

func (in *Eviction) DeepCopy() *Eviction

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eviction.

func (*Eviction) DeepCopyInto added in v1.8.0

func (in *Eviction) DeepCopyInto(out *Eviction)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Eviction) DeepCopyObject added in v1.8.0

func (in *Eviction) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type FSGroupStrategyOptions added in v1.11.0

type FSGroupStrategyOptions struct {
	// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
	// +optional
	Rule FSGroupStrategyType
	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
	// fs group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

func (*FSGroupStrategyOptions) DeepCopy added in v1.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.

func (*FSGroupStrategyOptions) DeepCopyInto added in v1.11.0

func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FSGroupStrategyType added in v1.11.0

type FSGroupStrategyType string

FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext

const (
	// FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied.
	// However, when FSGroups are specified, they have to fall in the defined range.
	FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs"
	// FSGroupStrategyMustRunAs means that container must have FSGroup of X applied.
	FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
	// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
	FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
)

type FSType added in v1.11.0

type FSType string

FSType gives strong typing to different file systems that are used by volumes.

const (
	AzureFile             FSType = "azureFile"
	Flocker               FSType = "flocker"
	FlexVolume            FSType = "flexVolume"
	HostPath              FSType = "hostPath"
	EmptyDir              FSType = "emptyDir"
	GCEPersistentDisk     FSType = "gcePersistentDisk"
	AWSElasticBlockStore  FSType = "awsElasticBlockStore"
	GitRepo               FSType = "gitRepo"
	Secret                FSType = "secret"
	NFS                   FSType = "nfs"
	ISCSI                 FSType = "iscsi"
	Glusterfs             FSType = "glusterfs"
	PersistentVolumeClaim FSType = "persistentVolumeClaim"
	RBD                   FSType = "rbd"
	Cinder                FSType = "cinder"
	CephFS                FSType = "cephFS"
	DownwardAPI           FSType = "downwardAPI"
	FC                    FSType = "fc"
	ConfigMap             FSType = "configMap"
	VsphereVolume         FSType = "vsphereVolume"
	Quobyte               FSType = "quobyte"
	AzureDisk             FSType = "azureDisk"
	PhotonPersistentDisk  FSType = "photonPersistentDisk"
	StorageOS             FSType = "storageos"
	Projected             FSType = "projected"
	PortworxVolume        FSType = "portworxVolume"
	ScaleIO               FSType = "scaleIO"
	CSI                   FSType = "csi"
	Ephemeral             FSType = "ephemeral"
	All                   FSType = "*"
)

Exported FSTypes.

type HostPortRange added in v1.11.0

type HostPortRange struct {
	// Min is the start of the range, inclusive.
	Min int32
	// Max is the end of the range, inclusive.
	Max int32
}

HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.

func (*HostPortRange) DeepCopy added in v1.11.0

func (in *HostPortRange) DeepCopy() *HostPortRange

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.

func (*HostPortRange) DeepCopyInto added in v1.11.0

func (in *HostPortRange) DeepCopyInto(out *HostPortRange)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IDRange added in v1.11.0

type IDRange struct {
	// Min is the start of the range, inclusive.
	Min int64
	// Max is the end of the range, inclusive.
	Max int64
}

IDRange provides a min/max of an allowed range of IDs.

func (*IDRange) DeepCopy added in v1.11.0

func (in *IDRange) DeepCopy() *IDRange

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.

func (*IDRange) DeepCopyInto added in v1.11.0

func (in *IDRange) DeepCopyInto(out *IDRange)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodDisruptionBudget

type PodDisruptionBudget struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta

	// Specification of the desired behavior of the PodDisruptionBudget.
	// +optional
	Spec PodDisruptionBudgetSpec
	// Most recently observed status of the PodDisruptionBudget.
	// +optional
	Status PodDisruptionBudgetStatus
}

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods

func (*PodDisruptionBudget) DeepCopy added in v1.8.0

func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget.

func (*PodDisruptionBudget) DeepCopyInto added in v1.8.0

func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodDisruptionBudget) DeepCopyObject added in v1.8.0

func (in *PodDisruptionBudget) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodDisruptionBudgetList

type PodDisruptionBudgetList struct {
	metav1.TypeMeta
	// +optional
	metav1.ListMeta
	Items []PodDisruptionBudget
}

PodDisruptionBudgetList is a collection of PodDisruptionBudgets.

func (*PodDisruptionBudgetList) DeepCopy added in v1.8.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetList.

func (*PodDisruptionBudgetList) DeepCopyInto added in v1.8.0

func (in *PodDisruptionBudgetList) DeepCopyInto(out *PodDisruptionBudgetList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodDisruptionBudgetList) DeepCopyObject added in v1.8.0

func (in *PodDisruptionBudgetList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodDisruptionBudgetSpec

type PodDisruptionBudgetSpec struct {
	// An eviction is allowed if at least "minAvailable" pods selected by
	// "selector" will still be available after the eviction, i.e. even in the
	// absence of the evicted pod.  So for example you can prevent all voluntary
	// evictions by specifying "100%".
	// +optional
	MinAvailable *intstr.IntOrString

	// Label query over pods whose evictions are managed by the disruption
	// budget.
	// +optional
	Selector *metav1.LabelSelector

	// An eviction is allowed if at most "maxUnavailable" pods selected by
	// "selector" are unavailable after the eviction, i.e. even in absence of
	// the evicted pod. For example, one can prevent all voluntary evictions
	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
	// +optional
	MaxUnavailable *intstr.IntOrString

	// UnhealthyPodEvictionPolicy defines the criteria for when unhealthy pods
	// should be considered for eviction. Current implementation considers healthy pods,
	// as pods that have status.conditions item with type="Ready",status="True".
	//
	// Valid policies are IfHealthyBudget and AlwaysAllow.
	// If no policy is specified, the default behavior will be used,
	// which corresponds to the IfHealthyBudget policy.
	//
	// IfHealthyBudget policy means that running pods (status.phase="Running"),
	// but not yet healthy can be evicted only if the guarded application is not
	// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
	// Healthy pods will be subject to the PDB for eviction.
	//
	// AlwaysAllow policy means that all running pods (status.phase="Running"),
	// but not yet healthy are considered disrupted and can be evicted regardless
	// of whether the criteria in a PDB is met. This means perspective running
	// pods of a disrupted application might not get a chance to become healthy.
	// Healthy pods will be subject to the PDB for eviction.
	//
	// Additional policies may be added in the future.
	// Clients making eviction decisions should disallow eviction of unhealthy pods
	// if they encounter an unrecognized policy in this field.
	//
	// This field is beta-level. The eviction API uses this field when
	// the feature gate PDBUnhealthyPodEvictionPolicy is enabled (enabled by default).
	// +optional
	UnhealthyPodEvictionPolicy *UnhealthyPodEvictionPolicyType
}

PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.

func (*PodDisruptionBudgetSpec) DeepCopy added in v1.8.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetSpec.

func (*PodDisruptionBudgetSpec) DeepCopyInto added in v1.8.0

func (in *PodDisruptionBudgetSpec) DeepCopyInto(out *PodDisruptionBudgetSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodDisruptionBudgetStatus

type PodDisruptionBudgetStatus struct {
	// Most recent generation observed when updating this PDB status. DisruptionsAllowed and other
	// status information is valid only if observedGeneration equals to PDB's object generation.
	// +optional
	ObservedGeneration int64

	// DisruptedPods contains information about pods whose eviction was
	// processed by the API server eviction subresource handler but has not
	// yet been observed by the PodDisruptionBudget controller.
	// A pod will be in this map from the time when the API server processed the
	// eviction request to the time when the pod is seen by PDB controller
	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
	// and the value is the time when the API server processed the eviction request. If
	// the deletion didn't occur and a pod is still there it will be removed from
	// the list automatically by PodDisruptionBudget controller after some time.
	// If everything goes smooth this map should be empty for the most of the time.
	// Large number of entries in the map may indicate problems with pod deletions.
	// +optional
	DisruptedPods map[string]metav1.Time

	// Number of pod disruptions that are currently allowed.
	DisruptionsAllowed int32

	// current number of healthy pods
	CurrentHealthy int32

	// minimum desired number of healthy pods
	DesiredHealthy int32

	// total number of pods counted by this disruption budget
	ExpectedPods int32

	// Conditions contain conditions for PDB
	// +optional
	Conditions []metav1.Condition
}

PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.

func (*PodDisruptionBudgetStatus) DeepCopy added in v1.8.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetStatus.

func (*PodDisruptionBudgetStatus) DeepCopyInto added in v1.8.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PodSecurityPolicy added in v1.11.0

type PodSecurityPolicy struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta

	// Spec defines the policy enforced.
	// +optional
	Spec PodSecurityPolicySpec
}

PodSecurityPolicy governs the ability to make requests that affect the SecurityContext that will be applied to a pod and container.

func (*PodSecurityPolicy) DeepCopy added in v1.11.0

func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.

func (*PodSecurityPolicy) DeepCopyInto added in v1.11.0

func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicy) DeepCopyObject added in v1.11.0

func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicyList added in v1.11.0

type PodSecurityPolicyList struct {
	metav1.TypeMeta
	// +optional
	metav1.ListMeta

	Items []PodSecurityPolicy
}

PodSecurityPolicyList is a list of PodSecurityPolicy objects.

func (*PodSecurityPolicyList) DeepCopy added in v1.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.

func (*PodSecurityPolicyList) DeepCopyInto added in v1.11.0

func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PodSecurityPolicyList) DeepCopyObject added in v1.11.0

func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type PodSecurityPolicySpec added in v1.11.0

type PodSecurityPolicySpec struct {
	// Privileged determines if a pod can request to be run as privileged.
	// +optional
	Privileged bool
	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
	// unless the pod spec specifically drops the capability.  You may not list a capability in both
	// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
	// allowed, and need not be included in the AllowedCapabilities list.
	// +optional
	DefaultAddCapabilities []api.Capability
	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
	// are required to be dropped and cannot be added.
	// +optional
	RequiredDropCapabilities []api.Capability
	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
	// Capabilities in this field may be added at the pod author's discretion.
	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
	// To allow all capabilities you may use '*'.
	// +optional
	AllowedCapabilities []api.Capability
	// Volumes is an allowlist of volume plugins. Empty indicates that
	// no volumes may be used. To allow all volumes you may use '*'.
	// +optional
	Volumes []FSType
	// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
	// +optional
	HostNetwork bool
	// HostPorts determines which host port ranges are allowed to be exposed.
	// +optional
	HostPorts []HostPortRange
	// HostPID determines if the policy allows the use of HostPID in the pod spec.
	// +optional
	HostPID bool
	// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
	// +optional
	HostIPC bool
	// SELinux is the strategy that will dictate the allowable labels that may be set.
	SELinux SELinuxStrategyOptions
	// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
	RunAsUser RunAsUserStrategyOptions
	// RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
	// If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
	// RunAsGroup feature gate to be enabled.
	RunAsGroup *RunAsGroupStrategyOptions
	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
	SupplementalGroups SupplementalGroupsStrategyOptions
	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
	FSGroup FSGroupStrategyOptions
	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
	// system.  If the container specifically requests to run with a non-read only root file system
	// the PSP should deny the pod.
	// If set to false the container may run with a read only root file system if it wishes but it
	// will not be forced to.
	// +optional
	ReadOnlyRootFilesystem bool
	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
	// process can gain more privileges than its parent process.
	// +optional
	DefaultAllowPrivilegeEscalation *bool
	// AllowPrivilegeEscalation determines if a pod can request to allow
	// privilege escalation. If unspecified, defaults to true.
	// +optional
	AllowPrivilegeEscalation bool
	// AllowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.
	// +optional
	AllowedHostPaths []AllowedHostPath
	// AllowedFlexVolumes is an allowlist of Flexvolumes.  Empty or nil indicates that all
	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
	// is allowed in the "Volumes" field.
	// +optional
	AllowedFlexVolumes []AllowedFlexVolume
	// AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
	// An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
	// +optional
	AllowedCSIDrivers []AllowedCSIDriver
	// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
	// Kubelet has to allowlist all unsafe sysctls explicitly to avoid rejection.
	//
	// Examples:
	// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
	// +optional
	AllowedUnsafeSysctls []string
	// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
	// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
	// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
	//
	// Examples:
	// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
	// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
	// +optional
	ForbiddenSysctls []string
	// AllowedProcMountTypes is an allowlist of ProcMountTypes.
	// Empty or nil indicates that only the DefaultProcMountType may be used.
	// +optional
	AllowedProcMountTypes []api.ProcMountType
	// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
	// If this field is omitted, the pod's runtimeClassName field is unrestricted.
	// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
	// +optional
	RuntimeClass *RuntimeClassStrategyOptions
}

PodSecurityPolicySpec defines the policy enforced.

func (*PodSecurityPolicySpec) DeepCopy added in v1.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.

func (*PodSecurityPolicySpec) DeepCopyInto added in v1.11.0

func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RunAsGroupStrategy added in v1.13.0

type RunAsGroupStrategy string

RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a SecurityContext.

const (
	// RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid.
	// However, when RunAsGroup are specified, they have to fall in the defined range.
	RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs"
	// RunAsGroupStrategyMustRunAs means that container must run as a particular gid.
	RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs"
	// RunAsGroupStrategyRunAsAny means that container may make requests for any gid.
	RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny"
)

type RunAsGroupStrategyOptions added in v1.13.0

type RunAsGroupStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
	Rule RunAsGroupStrategy
	// Ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsGroupStrategyOptions) DeepCopy added in v1.13.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsGroupStrategyOptions.

func (*RunAsGroupStrategyOptions) DeepCopyInto added in v1.13.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RunAsUserStrategy added in v1.11.0

type RunAsUserStrategy string

RunAsUserStrategy denotes strategy types for generating RunAsUser values for a SecurityContext.

const (
	// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
	RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
	// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid
	RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
	// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
	RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
)

type RunAsUserStrategyOptions added in v1.11.0

type RunAsUserStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
	Rule RunAsUserStrategy
	// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

func (*RunAsUserStrategyOptions) DeepCopy added in v1.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.

func (*RunAsUserStrategyOptions) DeepCopyInto added in v1.11.0

func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuntimeClassStrategyOptions added in v1.15.0

type RuntimeClassStrategyOptions struct {
	// allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod.
	// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
	// list. An empty list requires the RuntimeClassName field to be unset.
	AllowedRuntimeClassNames []string
	// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
	// The default MUST be allowed by the allowedRuntimeClassNames list.
	// A value of nil does not mutate the Pod.
	// +optional
	DefaultRuntimeClassName *string
}

RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.

func (*RuntimeClassStrategyOptions) DeepCopy added in v1.15.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeClassStrategyOptions.

func (*RuntimeClassStrategyOptions) DeepCopyInto added in v1.15.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SELinuxStrategy added in v1.11.0

type SELinuxStrategy string

SELinuxStrategy denotes strategy types for generating SELinux options for a Security.

const (
	// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
	SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
	// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
	SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
)

type SELinuxStrategyOptions added in v1.11.0

type SELinuxStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable labels that may be set.
	Rule SELinuxStrategy
	// SELinuxOptions required to run as; required for MustRunAs
	// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
	// +optional
	SELinuxOptions *api.SELinuxOptions
}

SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.

func (*SELinuxStrategyOptions) DeepCopy added in v1.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.

func (*SELinuxStrategyOptions) DeepCopyInto added in v1.11.0

func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SupplementalGroupsStrategyOptions added in v1.11.0

type SupplementalGroupsStrategyOptions struct {
	// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
	// +optional
	Rule SupplementalGroupsStrategyType
	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
	// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []IDRange
}

SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

func (*SupplementalGroupsStrategyOptions) DeepCopy added in v1.11.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.

func (*SupplementalGroupsStrategyOptions) DeepCopyInto added in v1.11.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type SupplementalGroupsStrategyType added in v1.11.0

type SupplementalGroupsStrategyType string

SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.

const (
	// SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid.
	// However, when gids are specified, they have to fall in the defined range.
	SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs"
	// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
	SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
	// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
	SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)

type UnhealthyPodEvictionPolicyType added in v1.26.0

type UnhealthyPodEvictionPolicyType string

UnhealthyPodEvictionPolicyType defines the criteria for when unhealthy pods should be considered for eviction. +enum

const (
	// IfHealthyBudget policy means that running pods (status.phase="Running"),
	// but not yet healthy can be evicted only if the guarded application is not
	// disrupted (status.currentHealthy is at least equal to status.desiredHealthy).
	// Healthy pods will be subject to the PDB for eviction.
	IfHealthyBudget UnhealthyPodEvictionPolicyType = "IfHealthyBudget"

	// AlwaysAllow policy means that all running pods (status.phase="Running"),
	// but not yet healthy are considered disrupted and can be evicted regardless
	// of whether the criteria in a PDB is met. This means perspective running
	// pods of a disrupted application might not get a chance to become healthy.
	// Healthy pods will be subject to the PDB for eviction.
	AlwaysAllow UnhealthyPodEvictionPolicyType = "AlwaysAllow"
)

Directories

Path Synopsis
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery.
Package policy is for any kind of policy object.
Package policy is for any kind of policy object.
Package policy is for any kind of policy object.
Package policy is for any kind of policy object.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL