mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-29 22:46:12 +00:00
allowPrivilegeEscalation: update docs
Signed-off-by: Jess Frazelle <acidburn@google.com>
This commit is contained in:
Jess Frazelle
parent
ce70619a47
commit
ed3b78635f
@ -55011,6 +55011,10 @@
|
||||
"io.k8s.api.core.v1.SecurityContext": {
|
||||
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
|
||||
"properties": {
|
||||
"allowPrivilegeEscalation": {
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
|
||||
"type": "boolean"
|
||||
},
|
||||
"capabilities": {
|
||||
"description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
|
||||
"$ref": "#/definitions/io.k8s.api.core.v1.Capabilities"
|
||||
@ -56449,6 +56453,10 @@
|
||||
"fsGroup"
|
||||
],
|
||||
"properties": {
|
||||
"allowPrivilegeEscalation": {
|
||||
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
|
||||
"type": "boolean"
|
||||
},
|
||||
"allowedCapabilities": {
|
||||
"description": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
|
||||
"type": "array",
|
||||
@ -56463,6 +56471,10 @@
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"defaultAllowPrivilegeEscalation": {
|
||||
"description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
|
||||
"type": "boolean"
|
||||
},
|
||||
"fsGroup": {
|
||||
"description": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
|
||||
"$ref": "#/definitions/io.k8s.api.extensions.v1beta1.FSGroupStrategyOptions"
|
||||
|
||||
@ -5340,6 +5340,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -4352,6 +4352,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -3087,6 +3087,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -4168,6 +4168,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -8197,6 +8197,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
@ -9418,6 +9422,14 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to."
|
||||
},
|
||||
"defaultAllowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation."
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -20643,6 +20643,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -6023,6 +6023,13 @@ Examples:<br>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -5780,6 +5780,13 @@ Examples:<br>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
@ -6693,7 +6700,7 @@ Examples:<br>
|
||||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2017-07-19 00:29:43 UTC
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
@ -4993,7 +4993,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
|
||||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2017-07-19 00:29:43 UTC
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
@ -5001,6 +5001,13 @@ Examples:<br>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -4939,6 +4939,13 @@ Examples:<br>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -6969,6 +6969,13 @@ Both these may change in the future. Incoming requests are matched against the h
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
@ -7594,6 +7601,20 @@ Both these may change in the future. Incoming requests are matched against the h
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">defaultAllowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it’s parent process.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -1347,7 +1347,7 @@ Examples:<br>
|
||||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2017-07-18 22:23:24 UTC
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
@ -1702,7 +1702,7 @@ span.icon > [class^="icon-"], span.icon > [class*=" icon-"] { cursor: default; }
|
||||
</div>
|
||||
<div id="footer">
|
||||
<div id="footer-text">
|
||||
Last updated 2017-07-18 22:23:24 UTC
|
||||
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
|
||||
@ -8366,6 +8366,13 @@ Examples:<br>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -11676,6 +11676,10 @@
|
||||
"io.k8s.api.core.v1.SecurityContext": {
|
||||
"description": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
|
||||
"properties": {
|
||||
"allowPrivilegeEscalation": {
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
|
||||
"type": "boolean"
|
||||
},
|
||||
"capabilities": {
|
||||
"description": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
|
||||
"$ref": "#/definitions/io.k8s.api.core.v1.Capabilities"
|
||||
|
||||
@ -6556,6 +6556,10 @@
|
||||
"readOnlyRootFilesystem": {
|
||||
"type": "boolean",
|
||||
"description": "Whether this container has a read-only root filesystem. Default is false."
|
||||
},
|
||||
"allowPrivilegeEscalation": {
|
||||
"type": "boolean",
|
||||
"description": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN"
|
||||
}
|
||||
}
|
||||
},
|
||||
|
||||
@ -6452,6 +6452,13 @@ Both these may change in the future. Incoming requests are matched against the h
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">allowPrivilegeEscalation</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">AllowPrivilegeEscalation controls whether a process can gain more privileges than it’s parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">boolean</p></td>
|
||||
<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
@ -1763,13 +1763,14 @@ func (SecretVolumeSource) SwaggerDoc() map[string]string {
|
||||
}
|
||||
|
||||
var map_SecurityContext = map[string]string{
|
||||
"": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
|
||||
"capabilities": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
|
||||
"privileged": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
|
||||
"seLinuxOptions": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
|
||||
"runAsUser": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
|
||||
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
|
||||
"readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.",
|
||||
"": "SecurityContext holds security configuration that will be applied to a container. Some fields are present in both SecurityContext and PodSecurityContext. When both are set, the values in SecurityContext take precedence.",
|
||||
"capabilities": "The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.",
|
||||
"privileged": "Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.",
|
||||
"seLinuxOptions": "The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
|
||||
"runAsUser": "The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
|
||||
"runAsNonRoot": "Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.",
|
||||
"readOnlyRootFilesystem": "Whether this container has a read-only root filesystem. Default is false.",
|
||||
"allowPrivilegeEscalation": "AllowPrivilegeEscalation controls whether a process can gain more privileges than it's parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN",
|
||||
}
|
||||
|
||||
func (SecurityContext) SwaggerDoc() map[string]string {
|
||||
|
||||
@ -410,21 +410,23 @@ func (PodSecurityPolicyList) SwaggerDoc() map[string]string {
|
||||
}
|
||||
|
||||
var map_PodSecurityPolicySpec = map[string]string{
|
||||
"": "Pod Security Policy Spec defines the policy enforced.",
|
||||
"privileged": "privileged determines if a pod can request to be run as privileged.",
|
||||
"defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
|
||||
"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.",
|
||||
"allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
|
||||
"volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.",
|
||||
"hostNetwork": "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
|
||||
"hostPorts": "hostPorts determines which host port ranges are allowed to be exposed.",
|
||||
"hostPID": "hostPID determines if the policy allows the use of HostPID in the pod spec.",
|
||||
"hostIPC": "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
|
||||
"seLinux": "seLinux is the strategy that will dictate the allowable labels that may be set.",
|
||||
"runAsUser": "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
|
||||
"supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
|
||||
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
|
||||
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
|
||||
"": "Pod Security Policy Spec defines the policy enforced.",
|
||||
"privileged": "privileged determines if a pod can request to be run as privileged.",
|
||||
"defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
|
||||
"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.",
|
||||
"allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.",
|
||||
"volumes": "volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.",
|
||||
"hostNetwork": "hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
|
||||
"hostPorts": "hostPorts determines which host port ranges are allowed to be exposed.",
|
||||
"hostPID": "hostPID determines if the policy allows the use of HostPID in the pod spec.",
|
||||
"hostIPC": "hostIPC determines if the policy allows the use of HostIPC in the pod spec.",
|
||||
"seLinux": "seLinux is the strategy that will dictate the allowable labels that may be set.",
|
||||
"runAsUser": "runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.",
|
||||
"supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
|
||||
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
|
||||
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
|
||||
"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than it's parent process.",
|
||||
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation.",
|
||||
}
|
||||
|
||||
func (PodSecurityPolicySpec) SwaggerDoc() map[string]string {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user