diff --git a/pkg/apis/extensions/types.go b/pkg/apis/extensions/types.go index e36972846bc..21f0361aa4c 100644 --- a/pkg/apis/extensions/types.go +++ b/pkg/apis/extensions/types.go @@ -818,8 +818,8 @@ type PodSecurityPolicySpec struct { // To allow all capabilities you may use '*'. // +optional AllowedCapabilities []api.Capability - // Volumes is a white list of allowed volume plugins. Empty indicates that all plugins - // may be used. + // Volumes is a white list of allowed volume plugins. Empty indicates that + // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType // HostNetwork determines if the policy allows the use of HostNetwork in the pod spec. @@ -938,7 +938,7 @@ type AllowedFlexVolume struct { type SELinuxStrategyOptions struct { // Rule is the strategy that will dictate the allowable labels that may be set. Rule SELinuxStrategy - // seLinuxOptions required to run as; required for MustRunAs + // SELinuxOptions required to run as; required for MustRunAs // More info: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#selinux // +optional SELinuxOptions *api.SELinuxOptions @@ -949,9 +949,9 @@ type SELinuxStrategyOptions struct { type SELinuxStrategy string const ( - // container must have SELinux labels of X applied. + // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" - // container may make requests for any SELinux context labels. + // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" ) @@ -959,7 +959,8 @@ const ( type RunAsUserStrategyOptions struct { // Rule is the strategy that will dictate the allowable RunAsUser values that may be set. Rule RunAsUserStrategy - // Ranges are the allowed ranges of uids that may be used. + // Ranges are the allowed ranges of uids that may be used. If you would like to force a single uid + // then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []UserIDRange } @@ -985,11 +986,11 @@ type GroupIDRange struct { type RunAsUserStrategy string const ( - // container must run as a particular uid. + // RunAsUserStrategyMustRunAs means that container must run as a particular uid. RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" - // container must run as a non-root uid + // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" - // container may make requests for any uid. + // RunAsUserStrategyRunAsAny means that container may make requests for any uid. RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" ) @@ -999,7 +1000,7 @@ type FSGroupStrategyOptions struct { // +optional Rule FSGroupStrategyType // Ranges are the allowed ranges of fs groups. If you would like to force a single - // fs group then supply a single range with the same start and end. + // fs group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []GroupIDRange } @@ -1009,9 +1010,9 @@ type FSGroupStrategyOptions struct { type FSGroupStrategyType string const ( - // container must have FSGroup of X applied. + // FSGroupStrategyMustRunAs means that container must have FSGroup of X applied. FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" - // container may make requests for any FSGroup labels. + // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" ) @@ -1021,7 +1022,7 @@ type SupplementalGroupsStrategyOptions struct { // +optional Rule SupplementalGroupsStrategyType // Ranges are the allowed ranges of supplemental groups. If you would like to force a single - // supplemental group then supply a single range with the same start and end. + // supplemental group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []GroupIDRange } @@ -1031,9 +1032,9 @@ type SupplementalGroupsStrategyOptions struct { type SupplementalGroupsStrategyType string const ( - // container must run as a particular gid. + // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" - // container may make requests for any gid. + // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" ) diff --git a/staging/src/k8s.io/api/extensions/v1beta1/types.go b/staging/src/k8s.io/api/extensions/v1beta1/types.go index c3d9f72d734..45b60a9bc09 100644 --- a/staging/src/k8s.io/api/extensions/v1beta1/types.go +++ b/staging/src/k8s.io/api/extensions/v1beta1/types.go @@ -862,7 +862,7 @@ type ReplicaSetCondition struct { // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// Pod Security Policy governs the ability to make requests that affect the Security Context +// PodSecurityPolicy governs the ability to make requests that affect the Security Context // that will be applied to a pod and container. type PodSecurityPolicy struct { metav1.TypeMeta `json:",inline"` @@ -876,28 +876,28 @@ type PodSecurityPolicy struct { Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` } -// Pod Security Policy Spec defines the policy enforced. +// PodSecurityPolicySpec defines the policy enforced. type PodSecurityPolicySpec struct { // privileged determines if a pod can request to be run as privileged. // +optional Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` - // DefaultAddCapabilities is the default set of capabilities that will be added to the container + // defaultAddCapabilities is the default set of capabilities that will be added to the container // unless the pod spec specifically drops the capability. You may not list a capability in both - // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly - // allowed, and need not be included in the AllowedCapabilities list. + // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly + // allowed, and need not be included in the allowedCapabilities list. // +optional DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // RequiredDropCapabilities are the capabilities that will be dropped from the container. These + // requiredDropCapabilities are the capabilities that will be dropped from the container. These // are required to be dropped and cannot be added. // +optional RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // AllowedCapabilities is a list of capabilities that can be requested to add to the container. + // allowedCapabilities is a list of capabilities that can be requested to add to the container. // Capabilities in this field may be added at the pod author's discretion. - // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. + // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. // +optional AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // volumes is a white list of allowed volume plugins. Empty indicates that all plugins - // may be used. + // volumes is a white list of allowed volume plugins. Empty indicates that + // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. @@ -916,39 +916,40 @@ type PodSecurityPolicySpec struct { SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` - // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. + // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` - // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. + // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` - // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file + // readOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the PSP should deny the pod. // If set to false the container may run with a read only root file system if it wishes but it // will not be forced to. // +optional ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` - // DefaultAllowPrivilegeEscalation controls the default setting for whether a + // defaultAllowPrivilegeEscalation controls the default setting for whether a // process can gain more privileges than its parent process. // +optional DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` - // AllowPrivilegeEscalation determines if a pod can request to allow + // allowPrivilegeEscalation determines if a pod can request to allow // privilege escalation. If unspecified, defaults to true. // +optional AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` - // is a white list of allowed host paths. Empty indicates that all host paths may be used. + // allowedHostPaths is a white list of allowed host paths. Empty indicates + // that all host paths may be used. // +optional AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` - // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes - // is allowed in the "Volumes" field. + // is allowed in the "volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` } -// defines the host volume conditions that will be enabled by a policy +// AllowedHostPath defines the host volume conditions that will be enabled by a policy // for pods to use. It requires the path prefix to be defined. type AllowedHostPath struct { - // is the path prefix that the host volume must match. + // pathPrefix is the path prefix that the host volume must match. // It does not support `*`. // Trailing slashes are trimmed when validating the path prefix with a host path. // @@ -958,7 +959,7 @@ type AllowedHostPath struct { PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` } -// FS Type gives strong typing to different file systems that are used by volumes. +// FSType gives strong typing to different file systems that are used by volumes. type FSType string var ( @@ -988,11 +989,11 @@ var ( // AllowedFlexVolume represents a single Flexvolume that is allowed to be used. type AllowedFlexVolume struct { - // Driver is the name of the Flexvolume driver. + // driver is the name of the Flexvolume driver. Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` } -// Host Port Range defines a range of host ports that will be enabled by a policy +// HostPortRange defines a range of host ports that will be enabled by a policy // for pods to use. It requires both the start and end to be defined. type HostPortRange struct { // min is the start of the range, inclusive. @@ -1001,9 +1002,9 @@ type HostPortRange struct { Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` } -// SELinux Strategy Options defines the strategy type and any options used to create the strategy. +// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. type SELinuxStrategyOptions struct { - // type is the strategy that will dictate the allowable labels that may be set. + // rule is the strategy that will dictate the allowable labels that may be set. Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` // seLinuxOptions required to run as; required for MustRunAs // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ @@ -1016,26 +1017,27 @@ type SELinuxStrategyOptions struct { type SELinuxStrategy string const ( - // container must have SELinux labels of X applied. + // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" - // container may make requests for any SELinux context labels. + // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" ) -// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy. +// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. type RunAsUserStrategyOptions struct { - // Rule is the strategy that will dictate the allowable RunAsUser values that may be set. + // rule is the strategy that will dictate the allowable RunAsUser values that may be set. Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` - // Ranges are the allowed ranges of uids that may be used. + // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid + // then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } -// ID Range provides a min/max of an allowed range of IDs. +// IDRange provides a min/max of an allowed range of IDs. type IDRange struct { - // Min is the start of the range, inclusive. + // min is the start of the range, inclusive. Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` - // Max is the end of the range, inclusive. + // max is the end of the range, inclusive. Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` } @@ -1044,21 +1046,21 @@ type IDRange struct { type RunAsUserStrategy string const ( - // container must run as a particular uid. + // RunAsUserStrategyMustRunAs means that container must run as a particular uid. RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" - // container must run as a non-root uid + // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" - // container may make requests for any uid. + // RunAsUserStrategyRunAsAny means that container may make requests for any uid. RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" ) // FSGroupStrategyOptions defines the strategy type and options used to create the strategy. type FSGroupStrategyOptions struct { - // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext. + // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. // +optional Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` - // Ranges are the allowed ranges of fs groups. If you would like to force a single - // fs group then supply a single range with the same start and end. + // ranges are the allowed ranges of fs groups. If you would like to force a single + // fs group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } @@ -1068,19 +1070,19 @@ type FSGroupStrategyOptions struct { type FSGroupStrategyType string const ( - // container must have FSGroup of X applied. + // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" - // container may make requests for any FSGroup labels. + // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" ) // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. type SupplementalGroupsStrategyOptions struct { - // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. + // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. // +optional Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` - // Ranges are the allowed ranges of supplemental groups. If you would like to force a single - // supplemental group then supply a single range with the same start and end. + // ranges are the allowed ranges of supplemental groups. If you would like to force a single + // supplemental group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } @@ -1090,15 +1092,15 @@ type SupplementalGroupsStrategyOptions struct { type SupplementalGroupsStrategyType string const ( - // container must run as a particular gid. + // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" - // container may make requests for any gid. + // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// Pod Security Policy List is a list of PodSecurityPolicy objects. +// PodSecurityPolicyList is a list of PodSecurityPolicy objects. type PodSecurityPolicyList struct { metav1.TypeMeta `json:",inline"` // Standard list metadata. @@ -1106,7 +1108,7 @@ type PodSecurityPolicyList struct { // +optional metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` - // Items is a list of schema objects. + // items is a list of schema objects. Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` } diff --git a/staging/src/k8s.io/api/policy/v1beta1/types.go b/staging/src/k8s.io/api/policy/v1beta1/types.go index 6cea9615fff..cd8e02c2122 100644 --- a/staging/src/k8s.io/api/policy/v1beta1/types.go +++ b/staging/src/k8s.io/api/policy/v1beta1/types.go @@ -119,7 +119,7 @@ type Eviction struct { // +genclient:nonNamespaced // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// Pod Security Policy governs the ability to make requests that affect the Security Context +// PodSecurityPolicy governs the ability to make requests that affect the Security Context // that will be applied to a pod and container. type PodSecurityPolicy struct { metav1.TypeMeta `json:",inline"` @@ -133,28 +133,28 @@ type PodSecurityPolicy struct { Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` } -// Pod Security Policy Spec defines the policy enforced. +// PodSecurityPolicySpec defines the policy enforced. type PodSecurityPolicySpec struct { // privileged determines if a pod can request to be run as privileged. // +optional Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` - // DefaultAddCapabilities is the default set of capabilities that will be added to the container + // defaultAddCapabilities is the default set of capabilities that will be added to the container // unless the pod spec specifically drops the capability. You may not list a capability in both - // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly - // allowed, and need not be included in the AllowedCapabilities list. + // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly + // allowed, and need not be included in the allowedCapabilities list. // +optional DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // RequiredDropCapabilities are the capabilities that will be dropped from the container. These + // requiredDropCapabilities are the capabilities that will be dropped from the container. These // are required to be dropped and cannot be added. // +optional RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // AllowedCapabilities is a list of capabilities that can be requested to add to the container. + // allowedCapabilities is a list of capabilities that can be requested to add to the container. // Capabilities in this field may be added at the pod author's discretion. - // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. + // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. // +optional AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` - // volumes is a white list of allowed volume plugins. Empty indicates that all plugins - // may be used. + // volumes is a white list of allowed volume plugins. Empty indicates that + // no volumes may be used. To allow all volumes you may use '*'. // +optional Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. @@ -173,39 +173,40 @@ type PodSecurityPolicySpec struct { SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` - // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. + // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` - // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. + // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` - // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file + // readOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the PSP should deny the pod. // If set to false the container may run with a read only root file system if it wishes but it // will not be forced to. // +optional ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` - // DefaultAllowPrivilegeEscalation controls the default setting for whether a + // defaultAllowPrivilegeEscalation controls the default setting for whether a // process can gain more privileges than its parent process. // +optional DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` - // AllowPrivilegeEscalation determines if a pod can request to allow + // allowPrivilegeEscalation determines if a pod can request to allow // privilege escalation. If unspecified, defaults to true. // +optional AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` - // is a white list of allowed host paths. Empty indicates that all host paths may be used. + // allowedHostPaths is a white list of allowed host paths. Empty indicates + // that all host paths may be used. // +optional AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` - // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all + // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes - // is allowed in the "Volumes" field. + // is allowed in the "volumes" field. // +optional AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` } -// defines the host volume conditions that will be enabled by a policy +// AllowedHostPath defines the host volume conditions that will be enabled by a policy // for pods to use. It requires the path prefix to be defined. type AllowedHostPath struct { - // is the path prefix that the host volume must match. + // pathPrefix is the path prefix that the host volume must match. // It does not support `*`. // Trailing slashes are trimmed when validating the path prefix with a host path. // @@ -215,7 +216,7 @@ type AllowedHostPath struct { PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` } -// FS Type gives strong typing to different file systems that are used by volumes. +// FSType gives strong typing to different file systems that are used by volumes. type FSType string var ( @@ -245,11 +246,11 @@ var ( // AllowedFlexVolume represents a single Flexvolume that is allowed to be used. type AllowedFlexVolume struct { - // Driver is the name of the Flexvolume driver. + // driver is the name of the Flexvolume driver. Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` } -// Host Port Range defines a range of host ports that will be enabled by a policy +// HostPortRange defines a range of host ports that will be enabled by a policy // for pods to use. It requires both the start and end to be defined. type HostPortRange struct { // min is the start of the range, inclusive. @@ -258,9 +259,9 @@ type HostPortRange struct { Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` } -// SELinux Strategy Options defines the strategy type and any options used to create the strategy. +// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. type SELinuxStrategyOptions struct { - // type is the strategy that will dictate the allowable labels that may be set. + // rule is the strategy that will dictate the allowable labels that may be set. Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` // seLinuxOptions required to run as; required for MustRunAs // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ @@ -273,26 +274,27 @@ type SELinuxStrategyOptions struct { type SELinuxStrategy string const ( - // container must have SELinux labels of X applied. + // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" - // container may make requests for any SELinux context labels. + // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" ) -// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy. +// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. type RunAsUserStrategyOptions struct { - // Rule is the strategy that will dictate the allowable RunAsUser values that may be set. + // rule is the strategy that will dictate the allowable RunAsUser values that may be set. Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` - // Ranges are the allowed ranges of uids that may be used. + // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid + // then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } -// ID Range provides a min/max of an allowed range of IDs. +// IDRange provides a min/max of an allowed range of IDs. type IDRange struct { - // Min is the start of the range, inclusive. + // min is the start of the range, inclusive. Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` - // Max is the end of the range, inclusive. + // max is the end of the range, inclusive. Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` } @@ -301,21 +303,21 @@ type IDRange struct { type RunAsUserStrategy string const ( - // container must run as a particular uid. + // RunAsUserStrategyMustRunAs means that container must run as a particular uid. RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" - // container must run as a non-root uid + // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" - // container may make requests for any uid. + // RunAsUserStrategyRunAsAny means that container may make requests for any uid. RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" ) // FSGroupStrategyOptions defines the strategy type and options used to create the strategy. type FSGroupStrategyOptions struct { - // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext. + // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. // +optional Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` - // Ranges are the allowed ranges of fs groups. If you would like to force a single - // fs group then supply a single range with the same start and end. + // ranges are the allowed ranges of fs groups. If you would like to force a single + // fs group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } @@ -325,19 +327,19 @@ type FSGroupStrategyOptions struct { type FSGroupStrategyType string const ( - // container must have FSGroup of X applied. + // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" - // container may make requests for any FSGroup labels. + // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" ) // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. type SupplementalGroupsStrategyOptions struct { - // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. + // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. // +optional Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` - // Ranges are the allowed ranges of supplemental groups. If you would like to force a single - // supplemental group then supply a single range with the same start and end. + // ranges are the allowed ranges of supplemental groups. If you would like to force a single + // supplemental group then supply a single range with the same start and end. Required for MustRunAs. // +optional Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` } @@ -347,15 +349,15 @@ type SupplementalGroupsStrategyOptions struct { type SupplementalGroupsStrategyType string const ( - // container must run as a particular gid. + // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" - // container may make requests for any gid. + // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" ) // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object -// Pod Security Policy List is a list of PodSecurityPolicy objects. +// PodSecurityPolicyList is a list of PodSecurityPolicy objects. type PodSecurityPolicyList struct { metav1.TypeMeta `json:",inline"` // Standard list metadata. @@ -363,6 +365,6 @@ type PodSecurityPolicyList struct { // +optional metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` - // Items is a list of schema objects. + // items is a list of schema objects. Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` }