Kazan v0.6.0 Kazan.Apis.Extensions.V1beta1.PodSecurityPolicySpec View Source
Pod Security Policy Spec defines the policy enforced.
OpenAPI Definition: io.k8s.api.extensions.v1beta1.PodSecurityPolicySpec
Properties
allow_privilege_escalation
::Boolean
- AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
allowed_capabilities
:: [String
]- AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author’s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
allowed_host_paths
:: [Kazan.Apis.Extensions.V1beta1.AllowedHostPath
]- is a white list of allowed host paths. Empty indicates that all host paths may be used.
default_add_capabilities
:: [String
]- DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.
default_allow_privilege_escalation
::Boolean
- DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
fs_group
::Kazan.Apis.Extensions.V1beta1.FSGroupStrategyOptions
- Deprecated. Please use io.k8s.api.extensions.v1beta1.FSGroupStrategyOptions instead.
host_ipc
::Boolean
- hostIPC determines if the policy allows the use of HostIPC in the pod spec.
host_network
::Boolean
- hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
host_pid
::Boolean
- hostPID determines if the policy allows the use of HostPID in the pod spec.
host_ports
:: [Kazan.Apis.Extensions.V1beta1.HostPortRange
]- hostPorts determines which host port ranges are allowed to be exposed.
privileged
::Boolean
- privileged determines if a pod can request to be run as privileged.
read_only_root_filesystem
::Boolean
- ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
required_drop_capabilities
:: [String
]- RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
run_as_user
::Kazan.Apis.Extensions.V1beta1.RunAsUserStrategyOptions
- Deprecated. Please use io.k8s.api.extensions.v1beta1.RunAsUserStrategyOptions instead.
se_linux
::Kazan.Apis.Extensions.V1beta1.SELinuxStrategyOptions
- Deprecated. Please use io.k8s.api.extensions.v1beta1.SELinuxStrategyOptions instead.
supplemental_groups
::Kazan.Apis.Extensions.V1beta1.SupplementalGroupsStrategyOptions
- Deprecated. Please use io.k8s.api.extensions.v1beta1.SupplementalGroupsStrategyOptions instead.
volumes
:: [String
]- volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.