podSecurityPolicy

Pod Security Policy governs the ability to make requests that affect the Security Context that will be applied to a pod and container.

Constuctors

Mixins
  • metadata

    Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata


    Functions
    • mixinInstance

      mixinInstance(metadata)


    • withAnnotations

      withAnnotations(annotations)

      Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations


    • withAnnotationsMixin

      withAnnotationsMixin(annotations)

      Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations


    • withClusterName

      withClusterName(clusterName)

      The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request.


    • withFinalizers

      withFinalizers(finalizers)

      Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.


    • withFinalizersMixin

      withFinalizersMixin(finalizers)

      Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed.


    • withGenerateName

      withGenerateName(generateName)

      GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.

      If this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).

      Applied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency


    • withLabels

      withLabels(labels)

      Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels


    • withLabelsMixin

      withLabelsMixin(labels)

      Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels


    • withName

      withName(name)

      Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names


    • withNamespace

      withNamespace(namespace)

      Namespace defines the space within each name must be unique. An empty namespace is equivalent to the “default” namespace, but “default” is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.

      Must be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces


    • withOwnerReferences

      withOwnerReferences(ownerReferences)

      List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.

      withOwnerReferences takes an array of type ownerReferencesType. You can create an instance of ownerReferencesType with hidden.meta.v1.ownerReference.new().

      see hidden.meta.v1.ownerReference


    • withOwnerReferencesMixin

      withOwnerReferencesMixin(ownerReferences)

      List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller.

      withOwnerReferencesMixin takes an array of type ownerReferencesType. You can create an instance of ownerReferencesType with hidden.meta.v1.ownerReference.new().

      see hidden.meta.v1.ownerReference


    Mixins
    • initializers

      An initializer is a controller which enforces some system invariant at object creation time. This field is a list of initializers that have not yet acted on this object. If nil or empty, this object has been completely initialized. Otherwise, the object is considered uninitialized and is hidden (in list/watch and get calls) from clients that haven't explicitly asked to observe uninitialized objects.

      When an object is created, the system will populate this list with the current set of initializers. Only privileged users may set or modify this list. Once it is empty, it may not be modified further by any user.


      Functions
      • mixinInstance

        mixinInstance(initializers)


      • withPending

        withPending(pending)

        Pending is a list of initializers that must execute in order before this object is visible. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.

        withPending takes an array of type pendingType. You can create an instance of pendingType with hidden.meta.v1.initializer.new().

        see hidden.meta.v1.initializer


      • withPendingMixin

        withPendingMixin(pending)

        Pending is a list of initializers that must execute in order before this object is visible. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients.

        withPendingMixin takes an array of type pendingType. You can create an instance of pendingType with hidden.meta.v1.initializer.new().

        see hidden.meta.v1.initializer


  • spec

    spec defines the policy enforced.


    Functions
    • mixinInstance

      mixinInstance(spec)


    • withAllowPrivilegeEscalation

      withAllowPrivilegeEscalation(allowPrivilegeEscalation)

      AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.


    • withAllowedCapabilities

      withAllowedCapabilities(allowedCapabilities)

      AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author’s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.


    • withAllowedCapabilitiesMixin

      withAllowedCapabilitiesMixin(allowedCapabilities)

      AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author’s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.


    • withAllowedHostPaths

      withAllowedHostPaths(allowedHostPaths)

      is a white list of allowed host paths. Empty indicates that all host paths may be used.

      withAllowedHostPaths takes an array of type allowedHostPathsType. You can create an instance of allowedHostPathsType with hidden.extensions.v1beta1.allowedHostPath.new().

      see hidden.extensions.v1beta1.allowedHostPath


    • withAllowedHostPathsMixin

      withAllowedHostPathsMixin(allowedHostPaths)

      is a white list of allowed host paths. Empty indicates that all host paths may be used.

      withAllowedHostPathsMixin takes an array of type allowedHostPathsType. You can create an instance of allowedHostPathsType with hidden.extensions.v1beta1.allowedHostPath.new().

      see hidden.extensions.v1beta1.allowedHostPath


    • withDefaultAddCapabilities

      withDefaultAddCapabilities(defaultAddCapabilities)

      DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.


    • withDefaultAddCapabilitiesMixin

      withDefaultAddCapabilitiesMixin(defaultAddCapabilities)

      DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.


    • withDefaultAllowPrivilegeEscalation

      withDefaultAllowPrivilegeEscalation(defaultAllowPrivilegeEscalation)

      DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.


    • withHostIpc

      withHostIpc(hostIpc)

      hostIPC determines if the policy allows the use of HostIPC in the pod spec.


    • withHostNetwork

      withHostNetwork(hostNetwork)

      hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.


    • withHostPid

      withHostPid(hostPid)

      hostPID determines if the policy allows the use of HostPID in the pod spec.


    • withHostPorts

      withHostPorts(hostPorts)

      hostPorts determines which host port ranges are allowed to be exposed.

      withHostPorts takes an array of type hostPortsType. You can create an instance of hostPortsType with hidden.extensions.v1beta1.hostPortRange.new().

      see hidden.extensions.v1beta1.hostPortRange


    • withHostPortsMixin

      withHostPortsMixin(hostPorts)

      hostPorts determines which host port ranges are allowed to be exposed.

      withHostPortsMixin takes an array of type hostPortsType. You can create an instance of hostPortsType with hidden.extensions.v1beta1.hostPortRange.new().

      see hidden.extensions.v1beta1.hostPortRange


    • withPrivileged

      withPrivileged(privileged)

      privileged determines if a pod can request to be run as privileged.


    • withReadOnlyRootFilesystem

      withReadOnlyRootFilesystem(readOnlyRootFilesystem)

      ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.


    • withRequiredDropCapabilities

      withRequiredDropCapabilities(requiredDropCapabilities)

      RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.


    • withRequiredDropCapabilitiesMixin

      withRequiredDropCapabilitiesMixin(requiredDropCapabilities)

      RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.


    • withVolumes

      withVolumes(volumes)

      volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.


    • withVolumesMixin

      withVolumesMixin(volumes)

      volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.


    Mixins
    • fsGroup

      FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.


      Functions
      • mixinInstance

        mixinInstance(fsGroup)


      • withRanges

        withRanges(ranges)

        Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end.

        withRanges takes an array of type rangesType. You can create an instance of rangesType with hidden.extensions.v1beta1.idRange.new().

        see hidden.extensions.v1beta1.idRange


      • withRangesMixin

        withRangesMixin(ranges)

        Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end.

        withRangesMixin takes an array of type rangesType. You can create an instance of rangesType with hidden.extensions.v1beta1.idRange.new().

        see hidden.extensions.v1beta1.idRange


      • withRule

        withRule(rule)

        Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.


    • runAsUser

      runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.


      Functions
      • mixinInstance

        mixinInstance(runAsUser)


      • withRanges

        withRanges(ranges)

        Ranges are the allowed ranges of uids that may be used.

        withRanges takes an array of type rangesType. You can create an instance of rangesType with hidden.extensions.v1beta1.idRange.new().

        see hidden.extensions.v1beta1.idRange


      • withRangesMixin

        withRangesMixin(ranges)

        Ranges are the allowed ranges of uids that may be used.

        withRangesMixin takes an array of type rangesType. You can create an instance of rangesType with hidden.extensions.v1beta1.idRange.new().

        see hidden.extensions.v1beta1.idRange


      • withRule

        withRule(rule)

        Rule is the strategy that will dictate the allowable RunAsUser values that may be set.


    • seLinux

      seLinux is the strategy that will dictate the allowable labels that may be set.


      Functions
      • mixinInstance

        mixinInstance(seLinux)


      • withRule

        withRule(rule)

        type is the strategy that will dictate the allowable labels that may be set.


      Mixins
      • seLinuxOptions

        seLinuxOptions required to run as; required for MustRunAs More info: https://git.k8s.io/community/contributors/design-proposals/security_context.md


        Functions
        • mixinInstance

          mixinInstance(seLinuxOptions)


        • withLevel

          withLevel(level)

          Level is SELinux level label that applies to the container.


        • withRole

          withRole(role)

          Role is a SELinux role label that applies to the container.


        • withType

          withType(type)

          Type is a SELinux type label that applies to the container.


        • withUser

          withUser(user)

          User is a SELinux user label that applies to the container.


    • supplementalGroups

      SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.


      Functions
      • mixinInstance

        mixinInstance(supplementalGroups)


      • withRanges

        withRanges(ranges)

        Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end.

        withRanges takes an array of type rangesType. You can create an instance of rangesType with hidden.extensions.v1beta1.idRange.new().

        see hidden.extensions.v1beta1.idRange


      • withRangesMixin

        withRangesMixin(ranges)

        Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end.

        withRangesMixin takes an array of type rangesType. You can create an instance of rangesType with hidden.extensions.v1beta1.idRange.new().

        see hidden.extensions.v1beta1.idRange


      • withRule

        withRule(rule)

        Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.