github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-01 15:58:37 +00:00
Code Issues Projects Releases Wiki Activity

PodSecurityPolicy RuntimeClass API

Browse Source
This commit is contained in:
Tim Allclair 2019-02-06 11:01:12 -08:00
parent 36e06bbb1f
commit 821cb155ab
3 changed files with 72 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
pkg/apis/policy/types.go
View File

@ -240,6 +240,11 @@ type PodSecurityPolicySpec struct {
// Empty or nil indicates that only the DefaultProcMountType may be used. // Empty or nil indicates that only the DefaultProcMountType may be used.
// +optional // +optional
AllowedProcMountTypes []api.ProcMountType AllowedProcMountTypes []api.ProcMountType
// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
// If this field is omitted, the pod's runtimeClassName field is unrestricted.
// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
// +optional
RuntimeClass *RuntimeClassStrategyOptions
} }
// AllowedHostPath defines the host volume conditions that will be enabled by a policy // AllowedHostPath defines the host volume conditions that will be enabled by a policy
@ -444,6 +449,25 @@ const (
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
) )
// RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses
// for a pod.
type RuntimeClassStrategyOptions struct {
// allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod.
// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
// list. An empty list requires the RuntimeClassName field to be unset.
AllowedRuntimeClassNames []string
// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
// The default MUST be allowed by the allowedRuntimeClassNames list.
// A value of nil does not mutate the Pod.
// +optional
DefaultRuntimeClassName *string
}
// AllowAllRuntimeClassNames can be used as a value for the
// RuntimeClassStrategyOptions.allowedRuntimeClassNames field and means that any runtimeClassName is
// allowed.
const AllowAllRuntimeClassNames = "*"
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicyList is a list of PodSecurityPolicy objects. // PodSecurityPolicyList is a list of PodSecurityPolicy objects.

24
staging/src/k8s.io/api/extensions/v1beta1/types.go
View File

@ -956,6 +956,11 @@ type PodSecurityPolicySpec struct {
// This requires the ProcMountType feature flag to be enabled. // This requires the ProcMountType feature flag to be enabled.
// +optional // +optional
AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"` AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
// If this field is omitted, the pod's runtimeClassName field is unrestricted.
// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
// +optional
RuntimeClass *RuntimeClassStrategyOptions `json:"runtimeClass,omitempty" protobuf:"bytes,24,opt,name=runtimeClass"`
} }
// AllowedHostPath defines the host volume conditions that will be enabled by a policy // AllowedHostPath defines the host volume conditions that will be enabled by a policy
@ -1171,6 +1176,25 @@ const (
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
) )
// RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses
// for a pod.
type RuntimeClassStrategyOptions struct {
// allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod.
// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
// list. An empty list requires the RuntimeClassName field to be unset.
AllowedRuntimeClassNames []string `json:"allowedRuntimeClassNames" protobuf:"bytes,1,rep,name=allowedRuntimeClassNames"`
// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
// The default MUST be allowed by the allowedRuntimeClassNames list.
// A value of nil does not mutate the Pod.
// +optional
DefaultRuntimeClassName *string `json:"defaultRuntimeClassName,omitempty" protobuf:"bytes,2,opt,name=defaultRuntimeClassName"`
}
// AllowAllRuntimeClassNames can be used as a value for the
// RuntimeClassStrategyOptions.AllowedRuntimeClassNames field and means that any RuntimeClassName is
// allowed.
const AllowAllRuntimeClassNames = "*"
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicyList is a list of PodSecurityPolicy objects. // PodSecurityPolicyList is a list of PodSecurityPolicy objects.

24
staging/src/k8s.io/api/policy/v1beta1/types.go
View File

@ -244,6 +244,11 @@ type PodSecurityPolicySpec struct {
// This requires the ProcMountType feature flag to be enabled. // This requires the ProcMountType feature flag to be enabled.
// +optional // +optional
AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"` AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
// If this field is omitted, the pod's runtimeClassName field is unrestricted.
// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
// +optional
RuntimeClass *RuntimeClassStrategyOptions `json:"runtimeClass,omitempty" protobuf:"bytes,24,opt,name=runtimeClass"`
} }
// AllowedHostPath defines the host volume conditions that will be enabled by a policy // AllowedHostPath defines the host volume conditions that will be enabled by a policy
@ -449,6 +454,25 @@ const (
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
) )
// RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses
// for a pod.
type RuntimeClassStrategyOptions struct {
// allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod.
// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
// list. An empty list requires the RuntimeClassName field to be unset.
AllowedRuntimeClassNames []string `json:"allowedRuntimeClassNames" protobuf:"bytes,1,rep,name=allowedRuntimeClassNames"`
// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
// The default MUST be allowed by the allowedRuntimeClassNames list.
// A value of nil does not mutate the Pod.
// +optional
DefaultRuntimeClassName *string `json:"defaultRuntimeClassName,omitempty" protobuf:"bytes,2,opt,name=defaultRuntimeClassName"`
}
// AllowAllRuntimeClassNames can be used as a value for the
// RuntimeClassStrategyOptions.AllowedRuntimeClassNames field and means that any RuntimeClassName is
// allowed.
const AllowAllRuntimeClassNames = "*"
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicyList is a list of PodSecurityPolicy objects. // PodSecurityPolicyList is a list of PodSecurityPolicy objects.