1/* 2Copyright 2016 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17package v1beta1 18 19import ( 20 v1 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 "k8s.io/apimachinery/pkg/util/intstr" 23) 24 25// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. 26type PodDisruptionBudgetSpec struct { 27 // An eviction is allowed if at least "minAvailable" pods selected by 28 // "selector" will still be available after the eviction, i.e. even in the 29 // absence of the evicted pod. So for example you can prevent all voluntary 30 // evictions by specifying "100%". 31 // +optional 32 MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"` 33 34 // Label query over pods whose evictions are managed by the disruption 35 // budget. 36 // +optional 37 Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"` 38 39 // An eviction is allowed if at most "maxUnavailable" pods selected by 40 // "selector" are unavailable after the eviction, i.e. even in absence of 41 // the evicted pod. For example, one can prevent all voluntary evictions 42 // by specifying 0. This is a mutually exclusive setting with "minAvailable". 43 // +optional 44 MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"` 45} 46 47// PodDisruptionBudgetStatus represents information about the status of a 48// PodDisruptionBudget. Status may trail the actual state of a system. 49type PodDisruptionBudgetStatus struct { 50 // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other 51 // status informatio is valid only if observedGeneration equals to PDB's object generation. 52 // +optional 53 ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` 54 55 // DisruptedPods contains information about pods whose eviction was 56 // processed by the API server eviction subresource handler but has not 57 // yet been observed by the PodDisruptionBudget controller. 58 // A pod will be in this map from the time when the API server processed the 59 // eviction request to the time when the pod is seen by PDB controller 60 // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod 61 // and the value is the time when the API server processed the eviction request. If 62 // the deletion didn't occur and a pod is still there it will be removed from 63 // the list automatically by PodDisruptionBudget controller after some time. 64 // If everything goes smooth this map should be empty for the most of the time. 65 // Large number of entries in the map may indicate problems with pod deletions. 66 // +optional 67 DisruptedPods map[string]metav1.Time `json:"disruptedPods,omitempty" protobuf:"bytes,2,rep,name=disruptedPods"` 68 69 // Number of pod disruptions that are currently allowed. 70 PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"` 71 72 // current number of healthy pods 73 CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"` 74 75 // minimum desired number of healthy pods 76 DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"` 77 78 // total number of pods counted by this disruption budget 79 ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"` 80} 81 82// +genclient 83// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 84 85// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods 86type PodDisruptionBudget struct { 87 metav1.TypeMeta `json:",inline"` 88 // +optional 89 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 90 91 // Specification of the desired behavior of the PodDisruptionBudget. 92 // +optional 93 Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 94 // Most recently observed status of the PodDisruptionBudget. 95 // +optional 96 Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 97} 98 99// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 100 101// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. 102type PodDisruptionBudgetList struct { 103 metav1.TypeMeta `json:",inline"` 104 // +optional 105 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 106 Items []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"` 107} 108 109// +genclient 110// +genclient:noVerbs 111// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 112 113// Eviction evicts a pod from its node subject to certain policies and safety constraints. 114// This is a subresource of Pod. A request to cause such an eviction is 115// created by POSTing to .../pods/<pod name>/evictions. 116type Eviction struct { 117 metav1.TypeMeta `json:",inline"` 118 119 // ObjectMeta describes the pod that is being evicted. 120 // +optional 121 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 122 123 // DeleteOptions may be provided 124 // +optional 125 DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"` 126} 127 128// +genclient 129// +genclient:nonNamespaced 130// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 131 132// PodSecurityPolicy governs the ability to make requests that affect the Security Context 133// that will be applied to a pod and container. 134type PodSecurityPolicy struct { 135 metav1.TypeMeta `json:",inline"` 136 // Standard object's metadata. 137 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 138 // +optional 139 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 140 141 // spec defines the policy enforced. 142 // +optional 143 Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 144} 145 146// PodSecurityPolicySpec defines the policy enforced. 147type PodSecurityPolicySpec struct { 148 // privileged determines if a pod can request to be run as privileged. 149 // +optional 150 Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` 151 // defaultAddCapabilities is the default set of capabilities that will be added to the container 152 // unless the pod spec specifically drops the capability. You may not list a capability in both 153 // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly 154 // allowed, and need not be included in the allowedCapabilities list. 155 // +optional 156 DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` 157 // requiredDropCapabilities are the capabilities that will be dropped from the container. These 158 // are required to be dropped and cannot be added. 159 // +optional 160 RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` 161 // allowedCapabilities is a list of capabilities that can be requested to add to the container. 162 // Capabilities in this field may be added at the pod author's discretion. 163 // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. 164 // +optional 165 AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` 166 // volumes is a white list of allowed volume plugins. Empty indicates that 167 // no volumes may be used. To allow all volumes you may use '*'. 168 // +optional 169 Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` 170 // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. 171 // +optional 172 HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"` 173 // hostPorts determines which host port ranges are allowed to be exposed. 174 // +optional 175 HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"` 176 // hostPID determines if the policy allows the use of HostPID in the pod spec. 177 // +optional 178 HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"` 179 // hostIPC determines if the policy allows the use of HostIPC in the pod spec. 180 // +optional 181 HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"` 182 // seLinux is the strategy that will dictate the allowable labels that may be set. 183 SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` 184 // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. 185 RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` 186 // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. 187 // If this field is omitted, the pod's RunAsGroup can take any value. This field requires the 188 // RunAsGroup feature gate to be enabled. 189 // +optional 190 RunAsGroup *RunAsGroupStrategyOptions `json:"runAsGroup,omitempty" protobuf:"bytes,22,opt,name=runAsGroup"` 191 // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. 192 SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` 193 // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. 194 FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` 195 // readOnlyRootFilesystem when set to true will force containers to run with a read only root file 196 // system. If the container specifically requests to run with a non-read only root file system 197 // the PSP should deny the pod. 198 // If set to false the container may run with a read only root file system if it wishes but it 199 // will not be forced to. 200 // +optional 201 ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` 202 // defaultAllowPrivilegeEscalation controls the default setting for whether a 203 // process can gain more privileges than its parent process. 204 // +optional 205 DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` 206 // allowPrivilegeEscalation determines if a pod can request to allow 207 // privilege escalation. If unspecified, defaults to true. 208 // +optional 209 AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` 210 // allowedHostPaths is a white list of allowed host paths. Empty indicates 211 // that all host paths may be used. 212 // +optional 213 AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` 214 // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all 215 // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes 216 // is allowed in the "volumes" field. 217 // +optional 218 AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` 219 // AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. 220 // An empty value indicates that any CSI driver can be used for inline ephemeral volumes. 221 // This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate. 222 // +optional 223 AllowedCSIDrivers []AllowedCSIDriver `json:"allowedCSIDrivers,omitempty" protobuf:"bytes,23,rep,name=allowedCSIDrivers"` 224 // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. 225 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered 226 // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. 227 // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. 228 // 229 // Examples: 230 // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. 231 // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. 232 // +optional 233 AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"` 234 // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. 235 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered 236 // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. 237 // 238 // Examples: 239 // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. 240 // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. 241 // +optional 242 ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"` 243 // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. 244 // Empty or nil indicates that only the DefaultProcMountType may be used. 245 // This requires the ProcMountType feature flag to be enabled. 246 // +optional 247 AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"` 248 // runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. 249 // If this field is omitted, the pod's runtimeClassName field is unrestricted. 250 // Enforcement of this field depends on the RuntimeClass feature gate being enabled. 251 // +optional 252 RuntimeClass *RuntimeClassStrategyOptions `json:"runtimeClass,omitempty" protobuf:"bytes,24,opt,name=runtimeClass"` 253} 254 255// AllowedHostPath defines the host volume conditions that will be enabled by a policy 256// for pods to use. It requires the path prefix to be defined. 257type AllowedHostPath struct { 258 // pathPrefix is the path prefix that the host volume must match. 259 // It does not support `*`. 260 // Trailing slashes are trimmed when validating the path prefix with a host path. 261 // 262 // Examples: 263 // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` 264 // `/foo` would not allow `/food` or `/etc/foo` 265 PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` 266 267 // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly. 268 // +optional 269 ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"` 270} 271 272// AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities 273// field and means that any capabilities are allowed to be requested. 274var AllowAllCapabilities v1.Capability = "*" 275 276// FSType gives strong typing to different file systems that are used by volumes. 277type FSType string 278 279var ( 280 AzureFile FSType = "azureFile" 281 Flocker FSType = "flocker" 282 FlexVolume FSType = "flexVolume" 283 HostPath FSType = "hostPath" 284 EmptyDir FSType = "emptyDir" 285 GCEPersistentDisk FSType = "gcePersistentDisk" 286 AWSElasticBlockStore FSType = "awsElasticBlockStore" 287 GitRepo FSType = "gitRepo" 288 Secret FSType = "secret" 289 NFS FSType = "nfs" 290 ISCSI FSType = "iscsi" 291 Glusterfs FSType = "glusterfs" 292 PersistentVolumeClaim FSType = "persistentVolumeClaim" 293 RBD FSType = "rbd" 294 Cinder FSType = "cinder" 295 CephFS FSType = "cephFS" 296 DownwardAPI FSType = "downwardAPI" 297 FC FSType = "fc" 298 ConfigMap FSType = "configMap" 299 VsphereVolume FSType = "vsphereVolume" 300 Quobyte FSType = "quobyte" 301 AzureDisk FSType = "azureDisk" 302 PhotonPersistentDisk FSType = "photonPersistentDisk" 303 StorageOS FSType = "storageos" 304 Projected FSType = "projected" 305 PortworxVolume FSType = "portworxVolume" 306 ScaleIO FSType = "scaleIO" 307 CSI FSType = "csi" 308 All FSType = "*" 309) 310 311// AllowedFlexVolume represents a single Flexvolume that is allowed to be used. 312type AllowedFlexVolume struct { 313 // driver is the name of the Flexvolume driver. 314 Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` 315} 316 317// AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used. 318type AllowedCSIDriver struct { 319 // Name is the registered name of the CSI driver 320 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 321} 322 323// HostPortRange defines a range of host ports that will be enabled by a policy 324// for pods to use. It requires both the start and end to be defined. 325type HostPortRange struct { 326 // min is the start of the range, inclusive. 327 Min int32 `json:"min" protobuf:"varint,1,opt,name=min"` 328 // max is the end of the range, inclusive. 329 Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` 330} 331 332// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. 333type SELinuxStrategyOptions struct { 334 // rule is the strategy that will dictate the allowable labels that may be set. 335 Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` 336 // seLinuxOptions required to run as; required for MustRunAs 337 // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 338 // +optional 339 SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` 340} 341 342// SELinuxStrategy denotes strategy types for generating SELinux options for a 343// Security Context. 344type SELinuxStrategy string 345 346const ( 347 // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. 348 SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" 349 // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. 350 SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" 351) 352 353// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. 354type RunAsUserStrategyOptions struct { 355 // rule is the strategy that will dictate the allowable RunAsUser values that may be set. 356 Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` 357 // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid 358 // then supply a single range with the same start and end. Required for MustRunAs. 359 // +optional 360 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 361} 362 363// RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy. 364type RunAsGroupStrategyOptions struct { 365 // rule is the strategy that will dictate the allowable RunAsGroup values that may be set. 366 Rule RunAsGroupStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsGroupStrategy"` 367 // ranges are the allowed ranges of gids that may be used. If you would like to force a single gid 368 // then supply a single range with the same start and end. Required for MustRunAs. 369 // +optional 370 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 371} 372 373// IDRange provides a min/max of an allowed range of IDs. 374type IDRange struct { 375 // min is the start of the range, inclusive. 376 Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` 377 // max is the end of the range, inclusive. 378 Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` 379} 380 381// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a 382// Security Context. 383type RunAsUserStrategy string 384 385const ( 386 // RunAsUserStrategyMustRunAs means that container must run as a particular uid. 387 RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" 388 // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. 389 RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" 390 // RunAsUserStrategyRunAsAny means that container may make requests for any uid. 391 RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" 392) 393 394// RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a 395// Security Context. 396type RunAsGroupStrategy string 397 398const ( 399 // RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid. 400 // However, when RunAsGroup are specified, they have to fall in the defined range. 401 RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs" 402 // RunAsGroupStrategyMustRunAs means that container must run as a particular gid. 403 RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs" 404 // RunAsUserStrategyRunAsAny means that container may make requests for any gid. 405 RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny" 406) 407 408// FSGroupStrategyOptions defines the strategy type and options used to create the strategy. 409type FSGroupStrategyOptions struct { 410 // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. 411 // +optional 412 Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` 413 // ranges are the allowed ranges of fs groups. If you would like to force a single 414 // fs group then supply a single range with the same start and end. Required for MustRunAs. 415 // +optional 416 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 417} 418 419// FSGroupStrategyType denotes strategy types for generating FSGroup values for a 420// SecurityContext 421type FSGroupStrategyType string 422 423const ( 424 // FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied. 425 // However, when FSGroups are specified, they have to fall in the defined range. 426 FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs" 427 // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. 428 FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" 429 // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. 430 FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" 431) 432 433// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. 434type SupplementalGroupsStrategyOptions struct { 435 // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. 436 // +optional 437 Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` 438 // ranges are the allowed ranges of supplemental groups. If you would like to force a single 439 // supplemental group then supply a single range with the same start and end. Required for MustRunAs. 440 // +optional 441 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 442} 443 444// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental 445// groups for a SecurityContext. 446type SupplementalGroupsStrategyType string 447 448const ( 449 // SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid. 450 // However, when gids are specified, they have to fall in the defined range. 451 SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs" 452 // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. 453 SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" 454 // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. 455 SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" 456) 457 458// RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses 459// for a pod. 460type RuntimeClassStrategyOptions struct { 461 // allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod. 462 // A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the 463 // list. An empty list requires the RuntimeClassName field to be unset. 464 AllowedRuntimeClassNames []string `json:"allowedRuntimeClassNames" protobuf:"bytes,1,rep,name=allowedRuntimeClassNames"` 465 // defaultRuntimeClassName is the default RuntimeClassName to set on the pod. 466 // The default MUST be allowed by the allowedRuntimeClassNames list. 467 // A value of nil does not mutate the Pod. 468 // +optional 469 DefaultRuntimeClassName *string `json:"defaultRuntimeClassName,omitempty" protobuf:"bytes,2,opt,name=defaultRuntimeClassName"` 470} 471 472// AllowAllRuntimeClassNames can be used as a value for the 473// RuntimeClassStrategyOptions.AllowedRuntimeClassNames field and means that any RuntimeClassName is 474// allowed. 475const AllowAllRuntimeClassNames = "*" 476 477// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 478 479// PodSecurityPolicyList is a list of PodSecurityPolicy objects. 480type PodSecurityPolicyList struct { 481 metav1.TypeMeta `json:",inline"` 482 // Standard list metadata. 483 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 484 // +optional 485 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 486 487 // items is a list of schema objects. 488 Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` 489} 490