Skip to content

security.v1.securityContextConstraints

"SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints."

Index

Fields

fn new

new(name)

new returns an instance of SecurityContextConstraints

fn withAllowHostDirVolumePlugin

withAllowHostDirVolumePlugin(allowHostDirVolumePlugin)

"AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin"

fn withAllowHostIPC

withAllowHostIPC(allowHostIPC)

"AllowHostIPC determines if the policy allows host ipc in the containers."

fn withAllowHostNetwork

withAllowHostNetwork(allowHostNetwork)

"AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec."

fn withAllowHostPID

withAllowHostPID(allowHostPID)

"AllowHostPID determines if the policy allows host pid in the containers."

fn withAllowHostPorts

withAllowHostPorts(allowHostPorts)

"AllowHostPorts determines if the policy allows host ports in the containers."

fn withAllowPrivilegeEscalation

withAllowPrivilegeEscalation(allowPrivilegeEscalation)

"AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true."

fn withAllowPrivilegedContainer

withAllowPrivilegedContainer(allowPrivilegedContainer)

"AllowPrivilegedContainer determines if a container can request to be run as privileged."

fn withAllowedCapabilities

withAllowedCapabilities(allowedCapabilities)

"AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'."

fn withAllowedCapabilitiesMixin

withAllowedCapabilitiesMixin(allowedCapabilities)

"AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'."

Note: This function appends passed data to existing values

fn withAllowedFlexVolumes

withAllowedFlexVolumes(allowedFlexVolumes)

"AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field."

fn withAllowedFlexVolumesMixin

withAllowedFlexVolumesMixin(allowedFlexVolumes)

"AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field."

Note: This function appends passed data to existing values

fn withAllowedUnsafeSysctls

withAllowedUnsafeSysctls(allowedUnsafeSysctls)

"AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."

fn withAllowedUnsafeSysctlsMixin

withAllowedUnsafeSysctlsMixin(allowedUnsafeSysctls)

"AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."

Note: This function appends passed data to existing values

fn withDefaultAddCapabilities

withDefaultAddCapabilities(defaultAddCapabilities)

"DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities."

fn withDefaultAddCapabilitiesMixin

withDefaultAddCapabilitiesMixin(defaultAddCapabilities)

"DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities."

Note: This function appends passed data to existing values

fn withDefaultAllowPrivilegeEscalation

withDefaultAllowPrivilegeEscalation(defaultAllowPrivilegeEscalation)

"DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process."

fn withForbiddenSysctls

withForbiddenSysctls(forbiddenSysctls)

"ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."

fn withForbiddenSysctlsMixin

withForbiddenSysctlsMixin(forbiddenSysctls)

"ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."

Note: This function appends passed data to existing values

fn withGroups

withGroups(groups)

"The groups that have permission to use this security context constraints"

fn withGroupsMixin

withGroupsMixin(groups)

"The groups that have permission to use this security context constraints"

Note: This function appends passed data to existing values

fn withPriority

withPriority(priority)

"Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name."

fn withReadOnlyRootFilesystem

withReadOnlyRootFilesystem(readOnlyRootFilesystem)

"ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."

fn withRequiredDropCapabilities

withRequiredDropCapabilities(requiredDropCapabilities)

"RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added."

fn withRequiredDropCapabilitiesMixin

withRequiredDropCapabilitiesMixin(requiredDropCapabilities)

"RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added."

Note: This function appends passed data to existing values

fn withSeccompProfiles

withSeccompProfiles(seccompProfiles)

"SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default."

fn withSeccompProfilesMixin

withSeccompProfilesMixin(seccompProfiles)

"SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default."

Note: This function appends passed data to existing values

fn withUsers

withUsers(users)

"The users who have permissions to use this security context constraints"

fn withUsersMixin

withUsersMixin(users)

"The users who have permissions to use this security context constraints"

Note: This function appends passed data to existing values

fn withVolumes

withVolumes(volumes)

"Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"]."

fn withVolumesMixin

withVolumesMixin(volumes)

"Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"]."

Note: This function appends passed data to existing values

obj fsGroup

"FSGroupStrategyOptions defines the strategy type and options used to create the strategy."

fn fsGroup.withRanges

withRanges(ranges)

"Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end."

fn fsGroup.withRangesMixin

withRangesMixin(ranges)

"Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end."

Note: This function appends passed data to existing values

fn fsGroup.withType

withType(type)

"Type is the strategy that will dictate what FSGroup is used in the SecurityContext."

obj metadata

"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create."

fn metadata.withAnnotations

withAnnotations(annotations)

"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"

fn metadata.withAnnotationsMixin

withAnnotationsMixin(annotations)

"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"

Note: This function appends passed data to existing values

fn metadata.withClusterName

withClusterName(clusterName)

"The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request."

fn metadata.withCreationTimestamp

withCreationTimestamp(creationTimestamp)

fn metadata.withDeletionGracePeriodSeconds

withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)

"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."

fn metadata.withDeletionTimestamp

withDeletionTimestamp(deletionTimestamp)

fn metadata.withFinalizers

withFinalizers(finalizers)

"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed."

fn metadata.withFinalizersMixin

withFinalizersMixin(finalizers)

"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed."

Note: This function appends passed data to existing values

fn metadata.withGenerateName

withGenerateName(generateName)

"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#idempotency"

fn metadata.withGeneration

withGeneration(generation)

"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only."

fn metadata.withLabels

withLabels(labels)

"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"

fn metadata.withLabelsMixin

withLabelsMixin(labels)

"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"

Note: This function appends passed data to existing values

fn metadata.withName

withName(name)

"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names"

fn metadata.withNamespace

withNamespace(namespace)

"Namespace defines the space within each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces"

fn metadata.withOwnerReferences

withOwnerReferences(ownerReferences)

"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."

fn metadata.withOwnerReferencesMixin

withOwnerReferencesMixin(ownerReferences)

"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."

Note: This function appends passed data to existing values

fn metadata.withResourceVersion

withResourceVersion(resourceVersion)

"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#concurrency-control-and-consistency"

withSelfLink(selfLink)

"SelfLink is a URL representing this object. Populated by the system. Read-only."

fn metadata.withUid

withUid(uid)

"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"

obj metadata.initializers

"Initializers tracks the progress of initialization."

fn metadata.initializers.withPending

withPending(pending)

"Pending is a list of initializers that must execute in order before this object is visible. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients."

fn metadata.initializers.withPendingMixin

withPendingMixin(pending)

"Pending is a list of initializers that must execute in order before this object is visible. When the last pending initializer is removed, and no failing result is set, the initializers struct will be set to nil and the object is considered as initialized and visible to all clients."

Note: This function appends passed data to existing values

obj metadata.initializers.result

"Status is a return value for calls that don't return other objects."

fn metadata.initializers.result.withApiVersion

withApiVersion(apiVersion)

"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources"

fn metadata.initializers.result.withCode

withCode(code)

"Suggested HTTP return code for this status, 0 if not set."

fn metadata.initializers.result.withKind

withKind(kind)

"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"

fn metadata.initializers.result.withMessage

withMessage(message)

"A human-readable description of the status of this operation."

fn metadata.initializers.result.withMetadata

withMetadata(metadata)

"Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"

fn metadata.initializers.result.withReason

withReason(reason)

"A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available. A Reason clarifies an HTTP status code but does not override it."

obj metadata.initializers.result.details

"StatusDetails is a set of additional properties that MAY be set by the server to provide additional information about a response. The Reason field of a Status object defines what attributes will be set. Clients must ignore fields that do not match the defined type of each attribute, and should assume that any attribute may be empty, invalid, or under defined."

fn metadata.initializers.result.details.withCauses

withCauses(causes)

"The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes."

fn metadata.initializers.result.details.withCausesMixin

withCausesMixin(causes)

"The Causes array includes more details associated with the StatusReason failure. Not all StatusReasons may provide detailed causes."

Note: This function appends passed data to existing values

fn metadata.initializers.result.details.withGroup

withGroup(group)

"The group attribute of the resource associated with the status StatusReason."

fn metadata.initializers.result.details.withKind

withKind(kind)

"The kind attribute of the resource associated with the status StatusReason. On some operations may differ from the requested resource Kind. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds"

fn metadata.initializers.result.details.withName

withName(name)

"The name attribute of the resource associated with the status StatusReason (when there is a single name which can be described)."

fn metadata.initializers.result.details.withRetryAfterSeconds

withRetryAfterSeconds(retryAfterSeconds)

"If specified, the time in seconds before the operation should be retried. Some errors may indicate the client must take an alternate action - for those errors this field may indicate how long to wait before taking the alternate action."

fn metadata.initializers.result.details.withUid

withUid(uid)

"UID of the resource. (when there is a single resource which can be described). More info: http://kubernetes.io/docs/user-guide/identifiers#uids"

obj runAsUser

"RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy."

fn runAsUser.withType

withType(type)

"Type is the strategy that will dictate what RunAsUser is used in the SecurityContext."

fn runAsUser.withUid

withUid(uid)

"UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids."

fn runAsUser.withUidRangeMax

withUidRangeMax(uidRangeMax)

"UIDRangeMax defines the max value for a strategy that allocates by range."

fn runAsUser.withUidRangeMin

withUidRangeMin(uidRangeMin)

"UIDRangeMin defines the min value for a strategy that allocates by range."

obj seLinuxContext

"SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy."

fn seLinuxContext.withType

withType(type)

"Type is the strategy that will dictate what SELinux context is used in the SecurityContext."

obj seLinuxContext.seLinuxOptions

"SELinuxOptions are the labels to be applied to the container"

fn seLinuxContext.seLinuxOptions.withLevel

withLevel(level)

"Level is SELinux level label that applies to the container."

fn seLinuxContext.seLinuxOptions.withRole

withRole(role)

"Role is a SELinux role label that applies to the container."

fn seLinuxContext.seLinuxOptions.withType

withType(type)

"Type is a SELinux type label that applies to the container."

fn seLinuxContext.seLinuxOptions.withUser

withUser(user)

"User is a SELinux user label that applies to the container."

obj supplementalGroups

"SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy."

fn supplementalGroups.withRanges

withRanges(ranges)

"Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end."

fn supplementalGroups.withRangesMixin

withRangesMixin(ranges)

"Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end."

Note: This function appends passed data to existing values

fn supplementalGroups.withType

withType(type)

"Type is the strategy that will dictate what supplemental groups is used in the SecurityContext."