sslobodr | d046be8 | 2019-01-16 10:02:22 -0500 | [diff] [blame] | 1 | /* |
| 2 | Copyright 2016 The Kubernetes Authors. |
| 3 | |
| 4 | Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | you may not use this file except in compliance with the License. |
| 6 | You may obtain a copy of the License at |
| 7 | |
| 8 | http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | |
| 10 | Unless required by applicable law or agreed to in writing, software |
| 11 | distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | See the License for the specific language governing permissions and |
| 14 | limitations under the License. |
| 15 | */ |
| 16 | |
| 17 | package v1beta1 |
| 18 | |
| 19 | import ( |
| 20 | "k8s.io/api/core/v1" |
| 21 | metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" |
| 22 | "k8s.io/apimachinery/pkg/util/intstr" |
| 23 | ) |
| 24 | |
| 25 | // PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. |
| 26 | type PodDisruptionBudgetSpec struct { |
| 27 | // An eviction is allowed if at least "minAvailable" pods selected by |
| 28 | // "selector" will still be available after the eviction, i.e. even in the |
| 29 | // absence of the evicted pod. So for example you can prevent all voluntary |
| 30 | // evictions by specifying "100%". |
| 31 | // +optional |
| 32 | MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"` |
| 33 | |
| 34 | // Label query over pods whose evictions are managed by the disruption |
| 35 | // budget. |
| 36 | // +optional |
| 37 | Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"` |
| 38 | |
| 39 | // An eviction is allowed if at most "maxUnavailable" pods selected by |
| 40 | // "selector" are unavailable after the eviction, i.e. even in absence of |
| 41 | // the evicted pod. For example, one can prevent all voluntary evictions |
| 42 | // by specifying 0. This is a mutually exclusive setting with "minAvailable". |
| 43 | // +optional |
| 44 | MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"` |
| 45 | } |
| 46 | |
| 47 | // PodDisruptionBudgetStatus represents information about the status of a |
| 48 | // PodDisruptionBudget. Status may trail the actual state of a system. |
| 49 | type PodDisruptionBudgetStatus struct { |
| 50 | // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other |
| 51 | // status informatio is valid only if observedGeneration equals to PDB's object generation. |
| 52 | // +optional |
| 53 | ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` |
| 54 | |
| 55 | // DisruptedPods contains information about pods whose eviction was |
| 56 | // processed by the API server eviction subresource handler but has not |
| 57 | // yet been observed by the PodDisruptionBudget controller. |
| 58 | // A pod will be in this map from the time when the API server processed the |
| 59 | // eviction request to the time when the pod is seen by PDB controller |
| 60 | // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod |
| 61 | // and the value is the time when the API server processed the eviction request. If |
| 62 | // the deletion didn't occur and a pod is still there it will be removed from |
| 63 | // the list automatically by PodDisruptionBudget controller after some time. |
| 64 | // If everything goes smooth this map should be empty for the most of the time. |
| 65 | // Large number of entries in the map may indicate problems with pod deletions. |
| 66 | // +optional |
| 67 | DisruptedPods map[string]metav1.Time `json:"disruptedPods,omitempty" protobuf:"bytes,2,rep,name=disruptedPods"` |
| 68 | |
| 69 | // Number of pod disruptions that are currently allowed. |
| 70 | PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"` |
| 71 | |
| 72 | // current number of healthy pods |
| 73 | CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"` |
| 74 | |
| 75 | // minimum desired number of healthy pods |
| 76 | DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"` |
| 77 | |
| 78 | // total number of pods counted by this disruption budget |
| 79 | ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"` |
| 80 | } |
| 81 | |
| 82 | // +genclient |
| 83 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 84 | |
| 85 | // PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods |
| 86 | type PodDisruptionBudget struct { |
| 87 | metav1.TypeMeta `json:",inline"` |
| 88 | // +optional |
| 89 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 90 | |
| 91 | // Specification of the desired behavior of the PodDisruptionBudget. |
| 92 | // +optional |
| 93 | Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` |
| 94 | // Most recently observed status of the PodDisruptionBudget. |
| 95 | // +optional |
| 96 | Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` |
| 97 | } |
| 98 | |
| 99 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 100 | |
| 101 | // PodDisruptionBudgetList is a collection of PodDisruptionBudgets. |
| 102 | type PodDisruptionBudgetList struct { |
| 103 | metav1.TypeMeta `json:",inline"` |
| 104 | // +optional |
| 105 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 106 | Items []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 107 | } |
| 108 | |
| 109 | // +genclient |
| 110 | // +genclient:noVerbs |
| 111 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 112 | |
| 113 | // Eviction evicts a pod from its node subject to certain policies and safety constraints. |
| 114 | // This is a subresource of Pod. A request to cause such an eviction is |
| 115 | // created by POSTing to .../pods/<pod name>/evictions. |
| 116 | type Eviction struct { |
| 117 | metav1.TypeMeta `json:",inline"` |
| 118 | |
| 119 | // ObjectMeta describes the pod that is being evicted. |
| 120 | // +optional |
| 121 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 122 | |
| 123 | // DeleteOptions may be provided |
| 124 | // +optional |
| 125 | DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"` |
| 126 | } |
| 127 | |
| 128 | // +genclient |
| 129 | // +genclient:nonNamespaced |
| 130 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 131 | |
| 132 | // PodSecurityPolicy governs the ability to make requests that affect the Security Context |
| 133 | // that will be applied to a pod and container. |
| 134 | type PodSecurityPolicy struct { |
| 135 | metav1.TypeMeta `json:",inline"` |
| 136 | // Standard object's metadata. |
| 137 | // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata |
| 138 | // +optional |
| 139 | metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 140 | |
| 141 | // spec defines the policy enforced. |
| 142 | // +optional |
| 143 | Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` |
| 144 | } |
| 145 | |
| 146 | // PodSecurityPolicySpec defines the policy enforced. |
| 147 | type PodSecurityPolicySpec struct { |
| 148 | // privileged determines if a pod can request to be run as privileged. |
| 149 | // +optional |
| 150 | Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` |
| 151 | // defaultAddCapabilities is the default set of capabilities that will be added to the container |
| 152 | // unless the pod spec specifically drops the capability. You may not list a capability in both |
| 153 | // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly |
| 154 | // allowed, and need not be included in the allowedCapabilities list. |
| 155 | // +optional |
| 156 | DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` |
| 157 | // requiredDropCapabilities are the capabilities that will be dropped from the container. These |
| 158 | // are required to be dropped and cannot be added. |
| 159 | // +optional |
| 160 | RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` |
| 161 | // allowedCapabilities is a list of capabilities that can be requested to add to the container. |
| 162 | // Capabilities in this field may be added at the pod author's discretion. |
| 163 | // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. |
| 164 | // +optional |
| 165 | AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` |
| 166 | // volumes is a white list of allowed volume plugins. Empty indicates that |
| 167 | // no volumes may be used. To allow all volumes you may use '*'. |
| 168 | // +optional |
| 169 | Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` |
| 170 | // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. |
| 171 | // +optional |
| 172 | HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"` |
| 173 | // hostPorts determines which host port ranges are allowed to be exposed. |
| 174 | // +optional |
| 175 | HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"` |
| 176 | // hostPID determines if the policy allows the use of HostPID in the pod spec. |
| 177 | // +optional |
| 178 | HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"` |
| 179 | // hostIPC determines if the policy allows the use of HostIPC in the pod spec. |
| 180 | // +optional |
| 181 | HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"` |
| 182 | // seLinux is the strategy that will dictate the allowable labels that may be set. |
| 183 | SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` |
| 184 | // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. |
| 185 | RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` |
| 186 | // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. |
| 187 | // If this field is omitted, the pod's RunAsGroup can take any value. This field requires the |
| 188 | // RunAsGroup feature gate to be enabled. |
| 189 | // +optional |
| 190 | RunAsGroup *RunAsGroupStrategyOptions `json:"runAsGroup,omitempty" protobuf:"bytes,22,opt,name=runAsGroup"` |
| 191 | // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. |
| 192 | SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` |
| 193 | // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. |
| 194 | FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` |
| 195 | // readOnlyRootFilesystem when set to true will force containers to run with a read only root file |
| 196 | // system. If the container specifically requests to run with a non-read only root file system |
| 197 | // the PSP should deny the pod. |
| 198 | // If set to false the container may run with a read only root file system if it wishes but it |
| 199 | // will not be forced to. |
| 200 | // +optional |
| 201 | ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` |
| 202 | // defaultAllowPrivilegeEscalation controls the default setting for whether a |
| 203 | // process can gain more privileges than its parent process. |
| 204 | // +optional |
| 205 | DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` |
| 206 | // allowPrivilegeEscalation determines if a pod can request to allow |
| 207 | // privilege escalation. If unspecified, defaults to true. |
| 208 | // +optional |
| 209 | AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` |
| 210 | // allowedHostPaths is a white list of allowed host paths. Empty indicates |
| 211 | // that all host paths may be used. |
| 212 | // +optional |
| 213 | AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` |
| 214 | // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all |
| 215 | // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes |
| 216 | // is allowed in the "volumes" field. |
| 217 | // +optional |
| 218 | AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` |
| 219 | // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. |
| 220 | // Each entry is either a plain sysctl name or ends in "*" in which case it is considered |
| 221 | // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. |
| 222 | // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. |
| 223 | // |
| 224 | // Examples: |
| 225 | // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. |
| 226 | // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. |
| 227 | // +optional |
| 228 | AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"` |
| 229 | // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. |
| 230 | // Each entry is either a plain sysctl name or ends in "*" in which case it is considered |
| 231 | // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. |
| 232 | // |
| 233 | // Examples: |
| 234 | // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. |
| 235 | // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. |
| 236 | // +optional |
| 237 | ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"` |
| 238 | // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. |
| 239 | // Empty or nil indicates that only the DefaultProcMountType may be used. |
| 240 | // This requires the ProcMountType feature flag to be enabled. |
| 241 | // +optional |
| 242 | AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"` |
| 243 | } |
| 244 | |
| 245 | // AllowedHostPath defines the host volume conditions that will be enabled by a policy |
| 246 | // for pods to use. It requires the path prefix to be defined. |
| 247 | type AllowedHostPath struct { |
| 248 | // pathPrefix is the path prefix that the host volume must match. |
| 249 | // It does not support `*`. |
| 250 | // Trailing slashes are trimmed when validating the path prefix with a host path. |
| 251 | // |
| 252 | // Examples: |
| 253 | // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` |
| 254 | // `/foo` would not allow `/food` or `/etc/foo` |
| 255 | PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` |
| 256 | |
| 257 | // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly. |
| 258 | // +optional |
| 259 | ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"` |
| 260 | } |
| 261 | |
| 262 | // AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities |
| 263 | // field and means that any capabilities are allowed to be requested. |
| 264 | var AllowAllCapabilities v1.Capability = "*" |
| 265 | |
| 266 | // FSType gives strong typing to different file systems that are used by volumes. |
| 267 | type FSType string |
| 268 | |
| 269 | var ( |
| 270 | AzureFile FSType = "azureFile" |
| 271 | Flocker FSType = "flocker" |
| 272 | FlexVolume FSType = "flexVolume" |
| 273 | HostPath FSType = "hostPath" |
| 274 | EmptyDir FSType = "emptyDir" |
| 275 | GCEPersistentDisk FSType = "gcePersistentDisk" |
| 276 | AWSElasticBlockStore FSType = "awsElasticBlockStore" |
| 277 | GitRepo FSType = "gitRepo" |
| 278 | Secret FSType = "secret" |
| 279 | NFS FSType = "nfs" |
| 280 | ISCSI FSType = "iscsi" |
| 281 | Glusterfs FSType = "glusterfs" |
| 282 | PersistentVolumeClaim FSType = "persistentVolumeClaim" |
| 283 | RBD FSType = "rbd" |
| 284 | Cinder FSType = "cinder" |
| 285 | CephFS FSType = "cephFS" |
| 286 | DownwardAPI FSType = "downwardAPI" |
| 287 | FC FSType = "fc" |
| 288 | ConfigMap FSType = "configMap" |
| 289 | VsphereVolume FSType = "vsphereVolume" |
| 290 | Quobyte FSType = "quobyte" |
| 291 | AzureDisk FSType = "azureDisk" |
| 292 | PhotonPersistentDisk FSType = "photonPersistentDisk" |
| 293 | StorageOS FSType = "storageos" |
| 294 | Projected FSType = "projected" |
| 295 | PortworxVolume FSType = "portworxVolume" |
| 296 | ScaleIO FSType = "scaleIO" |
| 297 | CSI FSType = "csi" |
| 298 | All FSType = "*" |
| 299 | ) |
| 300 | |
| 301 | // AllowedFlexVolume represents a single Flexvolume that is allowed to be used. |
| 302 | type AllowedFlexVolume struct { |
| 303 | // driver is the name of the Flexvolume driver. |
| 304 | Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` |
| 305 | } |
| 306 | |
| 307 | // HostPortRange defines a range of host ports that will be enabled by a policy |
| 308 | // for pods to use. It requires both the start and end to be defined. |
| 309 | type HostPortRange struct { |
| 310 | // min is the start of the range, inclusive. |
| 311 | Min int32 `json:"min" protobuf:"varint,1,opt,name=min"` |
| 312 | // max is the end of the range, inclusive. |
| 313 | Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` |
| 314 | } |
| 315 | |
| 316 | // SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. |
| 317 | type SELinuxStrategyOptions struct { |
| 318 | // rule is the strategy that will dictate the allowable labels that may be set. |
| 319 | Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` |
| 320 | // seLinuxOptions required to run as; required for MustRunAs |
| 321 | // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ |
| 322 | // +optional |
| 323 | SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` |
| 324 | } |
| 325 | |
| 326 | // SELinuxStrategy denotes strategy types for generating SELinux options for a |
| 327 | // Security Context. |
| 328 | type SELinuxStrategy string |
| 329 | |
| 330 | const ( |
| 331 | // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. |
| 332 | SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" |
| 333 | // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. |
| 334 | SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" |
| 335 | ) |
| 336 | |
| 337 | // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. |
| 338 | type RunAsUserStrategyOptions struct { |
| 339 | // rule is the strategy that will dictate the allowable RunAsUser values that may be set. |
| 340 | Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` |
| 341 | // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid |
| 342 | // then supply a single range with the same start and end. Required for MustRunAs. |
| 343 | // +optional |
| 344 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 345 | } |
| 346 | |
| 347 | // RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy. |
| 348 | type RunAsGroupStrategyOptions struct { |
| 349 | // rule is the strategy that will dictate the allowable RunAsGroup values that may be set. |
| 350 | Rule RunAsGroupStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsGroupStrategy"` |
| 351 | // ranges are the allowed ranges of gids that may be used. If you would like to force a single gid |
| 352 | // then supply a single range with the same start and end. Required for MustRunAs. |
| 353 | // +optional |
| 354 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 355 | } |
| 356 | |
| 357 | // IDRange provides a min/max of an allowed range of IDs. |
| 358 | type IDRange struct { |
| 359 | // min is the start of the range, inclusive. |
| 360 | Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` |
| 361 | // max is the end of the range, inclusive. |
| 362 | Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` |
| 363 | } |
| 364 | |
| 365 | // RunAsUserStrategy denotes strategy types for generating RunAsUser values for a |
| 366 | // Security Context. |
| 367 | type RunAsUserStrategy string |
| 368 | |
| 369 | const ( |
| 370 | // RunAsUserStrategyMustRunAs means that container must run as a particular uid. |
| 371 | RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" |
| 372 | // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. |
| 373 | RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" |
| 374 | // RunAsUserStrategyRunAsAny means that container may make requests for any uid. |
| 375 | RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" |
| 376 | ) |
| 377 | |
| 378 | // RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a |
| 379 | // Security Context. |
| 380 | type RunAsGroupStrategy string |
| 381 | |
| 382 | const ( |
| 383 | // RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid. |
| 384 | // However, when RunAsGroup are specified, they have to fall in the defined range. |
| 385 | RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs" |
| 386 | // RunAsGroupStrategyMustRunAs means that container must run as a particular gid. |
| 387 | RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs" |
| 388 | // RunAsUserStrategyRunAsAny means that container may make requests for any gid. |
| 389 | RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny" |
| 390 | ) |
| 391 | |
| 392 | // FSGroupStrategyOptions defines the strategy type and options used to create the strategy. |
| 393 | type FSGroupStrategyOptions struct { |
| 394 | // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. |
| 395 | // +optional |
| 396 | Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` |
| 397 | // ranges are the allowed ranges of fs groups. If you would like to force a single |
| 398 | // fs group then supply a single range with the same start and end. Required for MustRunAs. |
| 399 | // +optional |
| 400 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 401 | } |
| 402 | |
| 403 | // FSGroupStrategyType denotes strategy types for generating FSGroup values for a |
| 404 | // SecurityContext |
| 405 | type FSGroupStrategyType string |
| 406 | |
| 407 | const ( |
| 408 | // FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied. |
| 409 | // However, when FSGroups are specified, they have to fall in the defined range. |
| 410 | FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs" |
| 411 | // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. |
| 412 | FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" |
| 413 | // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. |
| 414 | FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" |
| 415 | ) |
| 416 | |
| 417 | // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. |
| 418 | type SupplementalGroupsStrategyOptions struct { |
| 419 | // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. |
| 420 | // +optional |
| 421 | Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` |
| 422 | // ranges are the allowed ranges of supplemental groups. If you would like to force a single |
| 423 | // supplemental group then supply a single range with the same start and end. Required for MustRunAs. |
| 424 | // +optional |
| 425 | Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` |
| 426 | } |
| 427 | |
| 428 | // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental |
| 429 | // groups for a SecurityContext. |
| 430 | type SupplementalGroupsStrategyType string |
| 431 | |
| 432 | const ( |
| 433 | // SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid. |
| 434 | // However, when gids are specified, they have to fall in the defined range. |
| 435 | SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs" |
| 436 | // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. |
| 437 | SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" |
| 438 | // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. |
| 439 | SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" |
| 440 | ) |
| 441 | |
| 442 | // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object |
| 443 | |
| 444 | // PodSecurityPolicyList is a list of PodSecurityPolicy objects. |
| 445 | type PodSecurityPolicyList struct { |
| 446 | metav1.TypeMeta `json:",inline"` |
| 447 | // Standard list metadata. |
| 448 | // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata |
| 449 | // +optional |
| 450 | metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` |
| 451 | |
| 452 | // items is a list of schema objects. |
| 453 | Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` |
| 454 | } |