 Documentation
      ¶
      Documentation
      ¶
    
    
  
    
  
    Index ¶
- Constants
- Variables
- func Kind(kind string) schema.GroupKind
- func PodAnnotationsFromSysctls(sysctls []string) string
- func Resource(resource string) schema.GroupResource
- func SysctlsFromPodSecurityPolicyAnnotation(annotation string) ([]string, error)
- type AllowedFlexVolume
- type AllowedHostPath
- type Eviction
- type FSGroupStrategyOptions
- type FSGroupStrategyType
- type FSType
- type GroupIDRange
- type HostPortRange
- type PodDisruptionBudget
- type PodDisruptionBudgetList
- type PodDisruptionBudgetSpec
- type PodDisruptionBudgetStatus
- type PodSecurityPolicy
- type PodSecurityPolicyList
- type PodSecurityPolicySpec
- type RunAsUserStrategy
- type RunAsUserStrategyOptions
- type SELinuxStrategy
- type SELinuxStrategyOptions
- type SupplementalGroupsStrategyOptions
- type SupplementalGroupsStrategyType
- type UserIDRange
Constants ¶
const GroupName = "policy"
    GroupName is the group name use in this package
const ( // SysctlsPodSecurityPolicyAnnotationKey represents the key of a whitelist of // allowed safe and unsafe sysctls in a pod spec. It's a comma-separated list of plain sysctl // names or sysctl patterns (which end in *). The string "*" matches all sysctls. SysctlsPodSecurityPolicyAnnotationKey string = "security.alpha.kubernetes.io/sysctls" )
Variables ¶
var ( SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
var AllowAllCapabilities api.Capability = "*"
    AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities field and means that any capabilities are allowed to be requested.
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: runtime.APIVersionInternal}
    SchemeGroupVersion is group version used to register these objects
Functions ¶
func PodAnnotationsFromSysctls ¶
PodAnnotationsFromSysctls creates an annotation value for a slice of Sysctls.
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
func SysctlsFromPodSecurityPolicyAnnotation ¶
SysctlsFromPodSecurityPolicyAnnotation parses an annotation value of the key SysctlsSecurityPolicyAnnotationKey into a slice of sysctls. An empty slice is returned if annotation is the empty string.
Types ¶
type AllowedFlexVolume ¶
type AllowedFlexVolume struct {
	// Driver is the name of the Flexvolume driver.
	Driver string
}
    AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
func (*AllowedFlexVolume) DeepCopy ¶
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
func (*AllowedFlexVolume) DeepCopyInto ¶
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AllowedHostPath ¶
type AllowedHostPath struct {
	// PathPrefix is the path prefix that the host volume must match.
	// PathPrefix does not support `*`.
	// Trailing slashes are trimmed when validating the path prefix with a host path.
	//
	// Examples:
	// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
	// `/foo` would not allow `/food` or `/etc/foo`
	PathPrefix string
}
    AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.
func (*AllowedHostPath) DeepCopy ¶
func (in *AllowedHostPath) DeepCopy() *AllowedHostPath
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedHostPath.
func (*AllowedHostPath) DeepCopyInto ¶
func (in *AllowedHostPath) DeepCopyInto(out *AllowedHostPath)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Eviction ¶ added in v1.4.0
type Eviction struct {
	metav1.TypeMeta
	// ObjectMeta describes the pod that is being evicted.
	// +optional
	metav1.ObjectMeta
	// DeleteOptions may be provided
	// +optional
	DeleteOptions *metav1.DeleteOptions
}
    Eviction evicts a pod from its node subject to certain policies and safety constraints. This is a subresource of Pod. A request to cause such an eviction is created by POSTing to .../pods/<pod name>/eviction.
func (*Eviction) DeepCopy ¶ added in v1.8.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eviction.
func (*Eviction) DeepCopyInto ¶ added in v1.8.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Eviction) DeepCopyObject ¶ added in v1.8.0
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FSGroupStrategyOptions ¶
type FSGroupStrategyOptions struct {
	// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
	// +optional
	Rule FSGroupStrategyType
	// Ranges are the allowed ranges of fs groups.  If you would like to force a single
	// fs group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []GroupIDRange
}
    FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
func (*FSGroupStrategyOptions) DeepCopy ¶
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
func (*FSGroupStrategyOptions) DeepCopyInto ¶
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FSGroupStrategyType ¶
type FSGroupStrategyType string
FSGroupStrategyType denotes strategy types for generating FSGroup values for a SecurityContext
const ( // FSGroupStrategyMustRunAs means that container must have FSGroup of X applied. FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" )
type FSType ¶
type FSType string
FSType gives strong typing to different file systems that are used by volumes.
var ( AzureFile FSType = "azureFile" Flocker FSType = "flocker" FlexVolume FSType = "flexVolume" HostPath FSType = "hostPath" EmptyDir FSType = "emptyDir" GCEPersistentDisk FSType = "gcePersistentDisk" AWSElasticBlockStore FSType = "awsElasticBlockStore" GitRepo FSType = "gitRepo" Secret FSType = "secret" NFS FSType = "nfs" ISCSI FSType = "iscsi" Glusterfs FSType = "glusterfs" PersistentVolumeClaim FSType = "persistentVolumeClaim" RBD FSType = "rbd" Cinder FSType = "cinder" CephFS FSType = "cephFS" DownwardAPI FSType = "downwardAPI" FC FSType = "fc" ConfigMap FSType = "configMap" VsphereVolume FSType = "vsphereVolume" Quobyte FSType = "quobyte" AzureDisk FSType = "azureDisk" PhotonPersistentDisk FSType = "photonPersistentDisk" StorageOS FSType = "storageos" Projected FSType = "projected" PortworxVolume FSType = "portworxVolume" ScaleIO FSType = "scaleIO" CSI FSType = "csi" All FSType = "*" )
type GroupIDRange ¶
type GroupIDRange struct {
	// Min is the start of the range, inclusive.
	Min int64
	// Max is the end of the range, inclusive.
	Max int64
}
    GroupIDRange provides a min/max of an allowed range of GroupIDs.
func (*GroupIDRange) DeepCopy ¶
func (in *GroupIDRange) DeepCopy() *GroupIDRange
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupIDRange.
func (*GroupIDRange) DeepCopyInto ¶
func (in *GroupIDRange) DeepCopyInto(out *GroupIDRange)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type HostPortRange ¶
type HostPortRange struct {
	// Min is the start of the range, inclusive.
	Min int32
	// Max is the end of the range, inclusive.
	Max int32
}
    HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.
func (*HostPortRange) DeepCopy ¶
func (in *HostPortRange) DeepCopy() *HostPortRange
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostPortRange.
func (*HostPortRange) DeepCopyInto ¶
func (in *HostPortRange) DeepCopyInto(out *HostPortRange)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodDisruptionBudget ¶
type PodDisruptionBudget struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta
	// Specification of the desired behavior of the PodDisruptionBudget.
	// +optional
	Spec PodDisruptionBudgetSpec
	// Most recently observed status of the PodDisruptionBudget.
	// +optional
	Status PodDisruptionBudgetStatus
}
    PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
func (*PodDisruptionBudget) DeepCopy ¶ added in v1.8.0
func (in *PodDisruptionBudget) DeepCopy() *PodDisruptionBudget
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudget.
func (*PodDisruptionBudget) DeepCopyInto ¶ added in v1.8.0
func (in *PodDisruptionBudget) DeepCopyInto(out *PodDisruptionBudget)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodDisruptionBudget) DeepCopyObject ¶ added in v1.8.0
func (in *PodDisruptionBudget) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodDisruptionBudgetList ¶
type PodDisruptionBudgetList struct {
	metav1.TypeMeta
	// +optional
	metav1.ListMeta
	Items []PodDisruptionBudget
}
    PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
func (*PodDisruptionBudgetList) DeepCopy ¶ added in v1.8.0
func (in *PodDisruptionBudgetList) DeepCopy() *PodDisruptionBudgetList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetList.
func (*PodDisruptionBudgetList) DeepCopyInto ¶ added in v1.8.0
func (in *PodDisruptionBudgetList) DeepCopyInto(out *PodDisruptionBudgetList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodDisruptionBudgetList) DeepCopyObject ¶ added in v1.8.0
func (in *PodDisruptionBudgetList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodDisruptionBudgetSpec ¶
type PodDisruptionBudgetSpec struct {
	// An eviction is allowed if at least "minAvailable" pods selected by
	// "selector" will still be available after the eviction, i.e. even in the
	// absence of the evicted pod.  So for example you can prevent all voluntary
	// evictions by specifying "100%".
	// +optional
	MinAvailable *intstr.IntOrString
	// Label query over pods whose evictions are managed by the disruption
	// budget.
	// +optional
	Selector *metav1.LabelSelector
	// "selector" are unavailable after the eviction, i.e. even in absence of
	// the evicted pod. For example, one can prevent all voluntary evictions
	// by specifying 0. This is a mutually exclusive setting with "minAvailable".
	// +optional
	MaxUnavailable *intstr.IntOrString
}
    PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
func (*PodDisruptionBudgetSpec) DeepCopy ¶ added in v1.8.0
func (in *PodDisruptionBudgetSpec) DeepCopy() *PodDisruptionBudgetSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetSpec.
func (*PodDisruptionBudgetSpec) DeepCopyInto ¶ added in v1.8.0
func (in *PodDisruptionBudgetSpec) DeepCopyInto(out *PodDisruptionBudgetSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodDisruptionBudgetStatus ¶
type PodDisruptionBudgetStatus struct {
	// Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
	// status informatio is valid only if observedGeneration equals to PDB's object generation.
	// +optional
	ObservedGeneration int64
	// DisruptedPods contains information about pods whose eviction was
	// processed by the API server eviction subresource handler but has not
	// yet been observed by the PodDisruptionBudget controller.
	// A pod will be in this map from the time when the API server processed the
	// eviction request to the time when the pod is seen by PDB controller
	// as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
	// and the value is the time when the API server processed the eviction request. If
	// the deletion didn't occur and a pod is still there it will be removed from
	// the list automatically by PodDisruptionBudget controller after some time.
	// If everything goes smooth this map should be empty for the most of the time.
	// Large number of entries in the map may indicate problems with pod deletions.
	DisruptedPods map[string]metav1.Time
	// Number of pod disruptions that are currently allowed.
	PodDisruptionsAllowed int32
	// current number of healthy pods
	CurrentHealthy int32
	// minimum desired number of healthy pods
	DesiredHealthy int32
	// total number of pods counted by this disruption budget
	ExpectedPods int32
}
    PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.
func (*PodDisruptionBudgetStatus) DeepCopy ¶ added in v1.8.0
func (in *PodDisruptionBudgetStatus) DeepCopy() *PodDisruptionBudgetStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodDisruptionBudgetStatus.
func (*PodDisruptionBudgetStatus) DeepCopyInto ¶ added in v1.8.0
func (in *PodDisruptionBudgetStatus) DeepCopyInto(out *PodDisruptionBudgetStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PodSecurityPolicy ¶
type PodSecurityPolicy struct {
	metav1.TypeMeta
	// +optional
	metav1.ObjectMeta
	// Spec defines the policy enforced.
	// +optional
	Spec PodSecurityPolicySpec
}
    PodSecurityPolicy governs the ability to make requests that affect the SecurityContext that will be applied to a pod and container.
func (*PodSecurityPolicy) DeepCopy ¶
func (in *PodSecurityPolicy) DeepCopy() *PodSecurityPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicy.
func (*PodSecurityPolicy) DeepCopyInto ¶
func (in *PodSecurityPolicy) DeepCopyInto(out *PodSecurityPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicy) DeepCopyObject ¶
func (in *PodSecurityPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicyList ¶
type PodSecurityPolicyList struct {
	metav1.TypeMeta
	// +optional
	metav1.ListMeta
	Items []PodSecurityPolicy
}
    PodSecurityPolicyList is a list of PodSecurityPolicy objects.
func (*PodSecurityPolicyList) DeepCopy ¶
func (in *PodSecurityPolicyList) DeepCopy() *PodSecurityPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyList.
func (*PodSecurityPolicyList) DeepCopyInto ¶
func (in *PodSecurityPolicyList) DeepCopyInto(out *PodSecurityPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PodSecurityPolicyList) DeepCopyObject ¶
func (in *PodSecurityPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PodSecurityPolicySpec ¶
type PodSecurityPolicySpec struct {
	// Privileged determines if a pod can request to be run as privileged.
	// +optional
	Privileged bool
	// DefaultAddCapabilities is the default set of capabilities that will be added to the container
	// unless the pod spec specifically drops the capability.  You may not list a capability in both
	// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
	// allowed, and need not be included in the AllowedCapabilities list.
	// +optional
	DefaultAddCapabilities []api.Capability
	// RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
	// are required to be dropped and cannot be added.
	// +optional
	RequiredDropCapabilities []api.Capability
	// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
	// Capabilities in this field may be added at the pod author's discretion.
	// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
	// To allow all capabilities you may use '*'.
	// +optional
	AllowedCapabilities []api.Capability
	// Volumes is a white list of allowed volume plugins. Empty indicates that
	// no volumes may be used. To allow all volumes you may use '*'.
	// +optional
	Volumes []FSType
	// HostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
	// +optional
	HostNetwork bool
	// HostPorts determines which host port ranges are allowed to be exposed.
	// +optional
	HostPorts []HostPortRange
	// HostPID determines if the policy allows the use of HostPID in the pod spec.
	// +optional
	HostPID bool
	// HostIPC determines if the policy allows the use of HostIPC in the pod spec.
	// +optional
	HostIPC bool
	// SELinux is the strategy that will dictate the allowable labels that may be set.
	SELinux SELinuxStrategyOptions
	// RunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
	RunAsUser RunAsUserStrategyOptions
	// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
	SupplementalGroups SupplementalGroupsStrategyOptions
	// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
	FSGroup FSGroupStrategyOptions
	// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
	// system.  If the container specifically requests to run with a non-read only root file system
	// the PSP should deny the pod.
	// If set to false the container may run with a read only root file system if it wishes but it
	// will not be forced to.
	// +optional
	ReadOnlyRootFilesystem bool
	// DefaultAllowPrivilegeEscalation controls the default setting for whether a
	// process can gain more privileges than its parent process.
	// +optional
	DefaultAllowPrivilegeEscalation *bool
	// AllowPrivilegeEscalation determines if a pod can request to allow
	// privilege escalation. If unspecified, defaults to true.
	// +optional
	AllowPrivilegeEscalation bool
	// AllowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
	// +optional
	AllowedHostPaths []AllowedHostPath
	// AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
	// Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
	// is allowed in the "Volumes" field.
	// +optional
	AllowedFlexVolumes []AllowedFlexVolume
}
    PodSecurityPolicySpec defines the policy enforced.
func (*PodSecurityPolicySpec) DeepCopy ¶
func (in *PodSecurityPolicySpec) DeepCopy() *PodSecurityPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySpec.
func (*PodSecurityPolicySpec) DeepCopyInto ¶
func (in *PodSecurityPolicySpec) DeepCopyInto(out *PodSecurityPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RunAsUserStrategy ¶
type RunAsUserStrategy string
RunAsUserStrategy denotes strategy types for generating RunAsUser values for a SecurityContext.
const ( // RunAsUserStrategyMustRunAs means that container must run as a particular uid. RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" // RunAsUserStrategyRunAsAny means that container may make requests for any uid. RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" )
type RunAsUserStrategyOptions ¶
type RunAsUserStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
	Rule RunAsUserStrategy
	// Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
	// then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []UserIDRange
}
    RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
func (*RunAsUserStrategyOptions) DeepCopy ¶
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
func (*RunAsUserStrategyOptions) DeepCopyInto ¶
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SELinuxStrategy ¶
type SELinuxStrategy string
SELinuxStrategy denotes strategy types for generating SELinux options for a Security.
const ( // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" )
type SELinuxStrategyOptions ¶
type SELinuxStrategyOptions struct {
	// Rule is the strategy that will dictate the allowable labels that may be set.
	Rule SELinuxStrategy
	// SELinuxOptions required to run as; required for MustRunAs
	// More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux
	// +optional
	SELinuxOptions *api.SELinuxOptions
}
    SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
func (*SELinuxStrategyOptions) DeepCopy ¶
func (in *SELinuxStrategyOptions) DeepCopy() *SELinuxStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxStrategyOptions.
func (*SELinuxStrategyOptions) DeepCopyInto ¶
func (in *SELinuxStrategyOptions) DeepCopyInto(out *SELinuxStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SupplementalGroupsStrategyOptions ¶
type SupplementalGroupsStrategyOptions struct {
	// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
	// +optional
	Rule SupplementalGroupsStrategyType
	// Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
	// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
	// +optional
	Ranges []GroupIDRange
}
    SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
func (*SupplementalGroupsStrategyOptions) DeepCopy ¶
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
func (*SupplementalGroupsStrategyOptions) DeepCopyInto ¶
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SupplementalGroupsStrategyType ¶
type SupplementalGroupsStrategyType string
SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental groups for a SecurityContext.
const ( // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" )
type UserIDRange ¶
type UserIDRange struct {
	// Min is the start of the range, inclusive.
	Min int64
	// Max is the end of the range, inclusive.
	Max int64
}
    UserIDRange provides a min/max of an allowed range of UserIDs.
func (*UserIDRange) DeepCopy ¶
func (in *UserIDRange) DeepCopy() *UserIDRange
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIDRange.
func (*UserIDRange) DeepCopyInto ¶
func (in *UserIDRange) DeepCopyInto(out *UserIDRange)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
       Directories
      ¶
      Directories
      ¶
    
    | Path | Synopsis | 
|---|---|
| Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery. | Package install installs the experimental API group, making it available as an option to all of the API encoding/decoding machinery. | 
| Package policy is for any kind of policy object. | Package policy is for any kind of policy object. |