Zack Williams | e940c7a | 2019-08-21 14:25:39 -0700 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2016 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package v1beta1 |
| 18 | |
| 19 | import ( |
| 20 | v1 "k8s.io/api/core/v1" |
| 21 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 22 | "k8s.io/apimachinery/pkg/util/intstr" |
| 23 | ) |
| 24 | |
| 25 | // PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. |
| 26 | type PodDisruptionBudgetSpec struct { |
| 27 | // An eviction is allowed if at least "minAvailable" pods selected by |
| 28 | // "selector" will still be available after the eviction, i.e. even in the |
| 29 | // absence of the evicted pod. So for example you can prevent all voluntary |
| 30 | // evictions by specifying "100%". |
| 31 | // +optional |
| 32 | MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"` |
| 33 | |
| 34 | // Label query over pods whose evictions are managed by the disruption |
| 35 | // budget. |
| 36 | // +optional |
| 37 | Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"` |
| 38 | |
| 39 | // An eviction is allowed if at most "maxUnavailable" pods selected by |
| 40 | // "selector" are unavailable after the eviction, i.e. even in absence of |
| 41 | // the evicted pod. For example, one can prevent all voluntary evictions |
| 42 | // by specifying 0. This is a mutually exclusive setting with "minAvailable". |
| 43 | // +optional |
| 44 | MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"` |
| 45 | } |
| 46 | |
| 47 | // PodDisruptionBudgetStatus represents information about the status of a |
| 48 | // PodDisruptionBudget. Status may trail the actual state of a system. |
| 49 | type PodDisruptionBudgetStatus struct { |
| 50 | // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other |
| 51 | // status informatio is valid only if observedGeneration equals to PDB's object generation. |
| 52 | // +optional |
| 53 | ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` |
| 54 | |
| 55 | // DisruptedPods contains information about pods whose eviction was |
| 56 | // processed by the API server eviction subresource handler but has not |
| 57 | // yet been observed by the PodDisruptionBudget controller. |
| 58 | // A pod will be in this map from the time when the API server processed the |
| 59 | // eviction request to the time when the pod is seen by PDB controller |
| 60 | // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod |
| 61 | // and the value is the time when the API server processed the eviction request. If |
| 62 | // the deletion didn't occur and a pod is still there it will be removed from |
| 63 | // the list automatically by PodDisruptionBudget controller after some time. |
| 64 | // If everything goes smooth this map should be empty for the most of the time. |
| 65 | // Large number of entries in the map may indicate problems with pod deletions. |
| 66 | // +optional |
| 67 | DisruptedPods map[string]metav1.Time `json:"disruptedPods,omitempty" protobuf:"bytes,2,rep,name=disruptedPods"` |
| 68 | |
| 69 | // Number of pod disruptions that are currently allowed. |
| 70 | PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"` |
| 71 | |
| 72 | // current number of healthy pods |
| 73 | CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"` |
| 74 | |
| 75 | // minimum desired number of healthy pods |
| 76 | DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"` |
| 77 | |
| 78 | // total number of pods counted by this disruption budget |
| 79 | ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"` |
| 80 | } |
| 81 | |
| 82 | // +genclient |
| 83 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 84 | |
| 85 | // PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods |
| 86 | type PodDisruptionBudget struct { |
| 87 | metav1.TypeMeta `json:",inline"` |
| 88 | // +optional |
| 89 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 90 | |
| 91 | // Specification of the desired behavior of the PodDisruptionBudget. |
| 92 | // +optional |
| 93 | Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` |
| 94 | // Most recently observed status of the PodDisruptionBudget. |
| 95 | // +optional |
| 96 | Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| 97 | } |
| 98 | |
| 99 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 100 | |
| 101 | // PodDisruptionBudgetList is a collection of PodDisruptionBudgets. |
| 102 | type PodDisruptionBudgetList struct { |
| 103 | metav1.TypeMeta `json:",inline"` |
| 104 | // +optional |
| 105 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 106 | Items []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 107 | } |
| 108 | |
| 109 | // +genclient |
| 110 | // +genclient:noVerbs |
| 111 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 112 | |
| 113 | // Eviction evicts a pod from its node subject to certain policies and safety constraints. |
| 114 | // This is a subresource of Pod. A request to cause such an eviction is |
| 115 | // created by POSTing to .../pods/<pod name>/evictions. |
| 116 | type Eviction struct { |
| 117 | metav1.TypeMeta `json:",inline"` |
| 118 | |
| 119 | // ObjectMeta describes the pod that is being evicted. |
| 120 | // +optional |
| 121 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 122 | |
| 123 | // DeleteOptions may be provided |
| 124 | // +optional |
| 125 | DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"` |
| 126 | } |
| 127 | |
| 128 | // +genclient |
| 129 | // +genclient:nonNamespaced |
| 130 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 131 | |
| 132 | // PodSecurityPolicy governs the ability to make requests that affect the Security Context |
| 133 | // that will be applied to a pod and container. |
| 134 | type PodSecurityPolicy struct { |
| 135 | metav1.TypeMeta `json:",inline"` |
| 136 | // Standard object's metadata. |
| 137 | // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata |
| 138 | // +optional |
| 139 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 140 | |
| 141 | // spec defines the policy enforced. |
| 142 | // +optional |
| 143 | Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` |
| 144 | } |
| 145 | |
| 146 | // PodSecurityPolicySpec defines the policy enforced. |
| 147 | type PodSecurityPolicySpec struct { |
| 148 | // privileged determines if a pod can request to be run as privileged. |
| 149 | // +optional |
| 150 | Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` |
| 151 | // defaultAddCapabilities is the default set of capabilities that will be added to the container |
| 152 | // unless the pod spec specifically drops the capability. You may not list a capability in both |
| 153 | // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly |
| 154 | // allowed, and need not be included in the allowedCapabilities list. |
| 155 | // +optional |
| 156 | DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` |
| 157 | // requiredDropCapabilities are the capabilities that will be dropped from the container. These |
| 158 | // are required to be dropped and cannot be added. |
| 159 | // +optional |
| 160 | RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` |
| 161 | // allowedCapabilities is a list of capabilities that can be requested to add to the container. |
| 162 | // Capabilities in this field may be added at the pod author's discretion. |
| 163 | // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. |
| 164 | // +optional |
| 165 | AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` |
| 166 | // volumes is a white list of allowed volume plugins. Empty indicates that |
| 167 | // no volumes may be used. To allow all volumes you may use '*'. |
| 168 | // +optional |
| 169 | Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` |
| 170 | // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. |
| 171 | // +optional |
| 172 | HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"` |
| 173 | // hostPorts determines which host port ranges are allowed to be exposed. |
| 174 | // +optional |
| 175 | HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"` |
| 176 | // hostPID determines if the policy allows the use of HostPID in the pod spec. |
| 177 | // +optional |
| 178 | HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"` |
| 179 | // hostIPC determines if the policy allows the use of HostIPC in the pod spec. |
| 180 | // +optional |
| 181 | HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"` |
| 182 | // seLinux is the strategy that will dictate the allowable labels that may be set. |
| 183 | SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` |
| 184 | // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. |
| 185 | RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` |
| 186 | // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. |
| 187 | // If this field is omitted, the pod's RunAsGroup can take any value. This field requires the |
| 188 | // RunAsGroup feature gate to be enabled. |
| 189 | // +optional |
| 190 | RunAsGroup *RunAsGroupStrategyOptions `json:"runAsGroup,omitempty" protobuf:"bytes,22,opt,name=runAsGroup"` |
| 191 | // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. |
| 192 | SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` |
| 193 | // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. |
| 194 | FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` |
| 195 | // readOnlyRootFilesystem when set to true will force containers to run with a read only root file |
| 196 | // system. If the container specifically requests to run with a non-read only root file system |
| 197 | // the PSP should deny the pod. |
| 198 | // If set to false the container may run with a read only root file system if it wishes but it |
| 199 | // will not be forced to. |
| 200 | // +optional |
| 201 | ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` |
| 202 | // defaultAllowPrivilegeEscalation controls the default setting for whether a |
| 203 | // process can gain more privileges than its parent process. |
| 204 | // +optional |
| 205 | DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` |
| 206 | // allowPrivilegeEscalation determines if a pod can request to allow |
| 207 | // privilege escalation. If unspecified, defaults to true. |
| 208 | // +optional |
| 209 | AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` |
| 210 | // allowedHostPaths is a white list of allowed host paths. Empty indicates |
| 211 | // that all host paths may be used. |
| 212 | // +optional |
| 213 | AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` |
| 214 | // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all |
| 215 | // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes |
| 216 | // is allowed in the "volumes" field. |
| 217 | // +optional |
| 218 | AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` |
| 219 | // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. |
| 220 | // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. |
| 221 | // This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate. |
| 222 | // +optional |
| 223 | AllowedCSIDrivers []AllowedCSIDriver `json:"allowedCSIDrivers,omitempty" protobuf:"bytes,23,rep,name=allowedCSIDrivers"` |
| 224 | // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. |
| 225 | // Each entry is either a plain sysctl name or ends in "*" in which case it is considered |
| 226 | // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. |
| 227 | // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. |
| 228 | // |
| 229 | // Examples: |
| 230 | // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. |
| 231 | // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. |
| 232 | // +optional |
| 233 | AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"` |
| 234 | // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. |
| 235 | // Each entry is either a plain sysctl name or ends in "*" in which case it is considered |
| 236 | // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. |
| 237 | // |
| 238 | // Examples: |
| 239 | // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. |
| 240 | // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. |
| 241 | // +optional |
| 242 | ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"` |
| 243 | // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. |
| 244 | // Empty or nil indicates that only the DefaultProcMountType may be used. |
| 245 | // This requires the ProcMountType feature flag to be enabled. |
| 246 | // +optional |
| 247 | AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"` |
| 248 | // runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. |
| 249 | // If this field is omitted, the pod's runtimeClassName field is unrestricted. |
| 250 | // Enforcement of this field depends on the RuntimeClass feature gate being enabled. |
| 251 | // +optional |
| 252 | RuntimeClass *RuntimeClassStrategyOptions `json:"runtimeClass,omitempty" protobuf:"bytes,24,opt,name=runtimeClass"` |
| 253 | } |
| 254 | |
| 255 | // AllowedHostPath defines the host volume conditions that will be enabled by a policy |
| 256 | // for pods to use. It requires the path prefix to be defined. |
| 257 | type AllowedHostPath struct { |
| 258 | // pathPrefix is the path prefix that the host volume must match. |
| 259 | // It does not support `*`. |
| 260 | // Trailing slashes are trimmed when validating the path prefix with a host path. |
| 261 | // |
| 262 | // Examples: |
| 263 | // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` |
| 264 | // `/foo` would not allow `/food` or `/etc/foo` |
| 265 | PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` |
| 266 | |
| 267 | // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly. |
| 268 | // +optional |
| 269 | ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"` |
| 270 | } |
| 271 | |
| 272 | // AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities |
| 273 | // field and means that any capabilities are allowed to be requested. |
| 274 | var AllowAllCapabilities v1.Capability = "*" |
| 275 | |
| 276 | // FSType gives strong typing to different file systems that are used by volumes. |
| 277 | type FSType string |
| 278 | |
| 279 | var ( |
| 280 | AzureFile FSType = "azureFile" |
| 281 | Flocker FSType = "flocker" |
| 282 | FlexVolume FSType = "flexVolume" |
| 283 | HostPath FSType = "hostPath" |
| 284 | EmptyDir FSType = "emptyDir" |
| 285 | GCEPersistentDisk FSType = "gcePersistentDisk" |
| 286 | AWSElasticBlockStore FSType = "awsElasticBlockStore" |
| 287 | GitRepo FSType = "gitRepo" |
| 288 | Secret FSType = "secret" |
| 289 | NFS FSType = "nfs" |
| 290 | ISCSI FSType = "iscsi" |
| 291 | Glusterfs FSType = "glusterfs" |
| 292 | PersistentVolumeClaim FSType = "persistentVolumeClaim" |
| 293 | RBD FSType = "rbd" |
| 294 | Cinder FSType = "cinder" |
| 295 | CephFS FSType = "cephFS" |
| 296 | DownwardAPI FSType = "downwardAPI" |
| 297 | FC FSType = "fc" |
| 298 | ConfigMap FSType = "configMap" |
| 299 | VsphereVolume FSType = "vsphereVolume" |
| 300 | Quobyte FSType = "quobyte" |
| 301 | AzureDisk FSType = "azureDisk" |
| 302 | PhotonPersistentDisk FSType = "photonPersistentDisk" |
| 303 | StorageOS FSType = "storageos" |
| 304 | Projected FSType = "projected" |
| 305 | PortworxVolume FSType = "portworxVolume" |
| 306 | ScaleIO FSType = "scaleIO" |
| 307 | CSI FSType = "csi" |
| 308 | All FSType = "*" |
| 309 | ) |
| 310 | |
| 311 | // AllowedFlexVolume represents a single Flexvolume that is allowed to be used. |
| 312 | type AllowedFlexVolume struct { |
| 313 | // driver is the name of the Flexvolume driver. |
| 314 | Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` |
| 315 | } |
| 316 | |
| 317 | // AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used. |
| 318 | type AllowedCSIDriver struct { |
| 319 | // Name is the registered name of the CSI driver |
| 320 | Name string `json:"name" protobuf:"bytes,1,opt,name=name"` |
| 321 | } |
| 322 | |
| 323 | // HostPortRange defines a range of host ports that will be enabled by a policy |
| 324 | // for pods to use. It requires both the start and end to be defined. |
| 325 | type HostPortRange struct { |
| 326 | // min is the start of the range, inclusive. |
| 327 | Min int32 `json:"min" protobuf:"varint,1,opt,name=min"` |
| 328 | // max is the end of the range, inclusive. |
| 329 | Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` |
| 330 | } |
| 331 | |
| 332 | // SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. |
| 333 | type SELinuxStrategyOptions struct { |
| 334 | // rule is the strategy that will dictate the allowable labels that may be set. |
| 335 | Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` |
| 336 | // seLinuxOptions required to run as; required for MustRunAs |
| 337 | // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| 338 | // +optional |
| 339 | SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` |
| 340 | } |
| 341 | |
| 342 | // SELinuxStrategy denotes strategy types for generating SELinux options for a |
| 343 | // Security Context. |
| 344 | type SELinuxStrategy string |
| 345 | |
| 346 | const ( |
| 347 | // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. |
| 348 | SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" |
| 349 | // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. |
| 350 | SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" |
| 351 | ) |
| 352 | |
| 353 | // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. |
| 354 | type RunAsUserStrategyOptions struct { |
| 355 | // rule is the strategy that will dictate the allowable RunAsUser values that may be set. |
| 356 | Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` |
| 357 | // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid |
| 358 | // then supply a single range with the same start and end. Required for MustRunAs. |
| 359 | // +optional |
| 360 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 361 | } |
| 362 | |
| 363 | // RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy. |
| 364 | type RunAsGroupStrategyOptions struct { |
| 365 | // rule is the strategy that will dictate the allowable RunAsGroup values that may be set. |
| 366 | Rule RunAsGroupStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsGroupStrategy"` |
| 367 | // ranges are the allowed ranges of gids that may be used. If you would like to force a single gid |
| 368 | // then supply a single range with the same start and end. Required for MustRunAs. |
| 369 | // +optional |
| 370 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 371 | } |
| 372 | |
| 373 | // IDRange provides a min/max of an allowed range of IDs. |
| 374 | type IDRange struct { |
| 375 | // min is the start of the range, inclusive. |
| 376 | Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` |
| 377 | // max is the end of the range, inclusive. |
| 378 | Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` |
| 379 | } |
| 380 | |
| 381 | // RunAsUserStrategy denotes strategy types for generating RunAsUser values for a |
| 382 | // Security Context. |
| 383 | type RunAsUserStrategy string |
| 384 | |
| 385 | const ( |
| 386 | // RunAsUserStrategyMustRunAs means that container must run as a particular uid. |
| 387 | RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" |
| 388 | // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. |
| 389 | RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" |
| 390 | // RunAsUserStrategyRunAsAny means that container may make requests for any uid. |
| 391 | RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" |
| 392 | ) |
| 393 | |
| 394 | // RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a |
| 395 | // Security Context. |
| 396 | type RunAsGroupStrategy string |
| 397 | |
| 398 | const ( |
| 399 | // RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid. |
| 400 | // However, when RunAsGroup are specified, they have to fall in the defined range. |
| 401 | RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs" |
| 402 | // RunAsGroupStrategyMustRunAs means that container must run as a particular gid. |
| 403 | RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs" |
| 404 | // RunAsUserStrategyRunAsAny means that container may make requests for any gid. |
| 405 | RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny" |
| 406 | ) |
| 407 | |
| 408 | // FSGroupStrategyOptions defines the strategy type and options used to create the strategy. |
| 409 | type FSGroupStrategyOptions struct { |
| 410 | // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. |
| 411 | // +optional |
| 412 | Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` |
| 413 | // ranges are the allowed ranges of fs groups. If you would like to force a single |
| 414 | // fs group then supply a single range with the same start and end. Required for MustRunAs. |
| 415 | // +optional |
| 416 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 417 | } |
| 418 | |
| 419 | // FSGroupStrategyType denotes strategy types for generating FSGroup values for a |
| 420 | // SecurityContext |
| 421 | type FSGroupStrategyType string |
| 422 | |
| 423 | const ( |
| 424 | // FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied. |
| 425 | // However, when FSGroups are specified, they have to fall in the defined range. |
| 426 | FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs" |
| 427 | // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. |
| 428 | FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" |
| 429 | // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. |
| 430 | FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" |
| 431 | ) |
| 432 | |
| 433 | // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. |
| 434 | type SupplementalGroupsStrategyOptions struct { |
| 435 | // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. |
| 436 | // +optional |
| 437 | Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` |
| 438 | // ranges are the allowed ranges of supplemental groups. If you would like to force a single |
| 439 | // supplemental group then supply a single range with the same start and end. Required for MustRunAs. |
| 440 | // +optional |
| 441 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 442 | } |
| 443 | |
| 444 | // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental |
| 445 | // groups for a SecurityContext. |
| 446 | type SupplementalGroupsStrategyType string |
| 447 | |
| 448 | const ( |
| 449 | // SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid. |
| 450 | // However, when gids are specified, they have to fall in the defined range. |
| 451 | SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs" |
| 452 | // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. |
| 453 | SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" |
| 454 | // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. |
| 455 | SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" |
| 456 | ) |
| 457 | |
| 458 | // RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses |
| 459 | // for a pod. |
| 460 | type RuntimeClassStrategyOptions struct { |
| 461 | // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. |
| 462 | // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the |
| 463 | // list. An empty list requires the RuntimeClassName field to be unset. |
| 464 | AllowedRuntimeClassNames []string `json:"allowedRuntimeClassNames" protobuf:"bytes,1,rep,name=allowedRuntimeClassNames"` |
| 465 | // defaultRuntimeClassName is the default RuntimeClassName to set on the pod. |
| 466 | // The default MUST be allowed by the allowedRuntimeClassNames list. |
| 467 | // A value of nil does not mutate the Pod. |
| 468 | // +optional |
| 469 | DefaultRuntimeClassName *string `json:"defaultRuntimeClassName,omitempty" protobuf:"bytes,2,opt,name=defaultRuntimeClassName"` |
| 470 | } |
| 471 | |
| 472 | // AllowAllRuntimeClassNames can be used as a value for the |
| 473 | // RuntimeClassStrategyOptions.AllowedRuntimeClassNames field and means that any RuntimeClassName is |
| 474 | // allowed. |
| 475 | const AllowAllRuntimeClassNames = "*" |
| 476 | |
| 477 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 478 | |
| 479 | // PodSecurityPolicyList is a list of PodSecurityPolicy objects. |
| 480 | type PodSecurityPolicyList struct { |
| 481 | metav1.TypeMeta `json:",inline"` |
| 482 | // Standard list metadata. |
| 483 | // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata |
| 484 | // +optional |
| 485 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 486 | |
| 487 | // items is a list of schema objects. |
| 488 | Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 489 | } |