LinuxContainerSecurityContext

cri_api::v1

Struct LinuxContainerSecurityContext 

Source 
pub struct LinuxContainerSecurityContext {
Show 16 fields
    pub capabilities: Option<Capability>,
    pub privileged: bool,
    pub namespace_options: Option<NamespaceOption>,
    pub selinux_options: Option<SeLinuxOption>,
    pub run_as_user: Option<Int64Value>,
    pub run_as_group: Option<Int64Value>,
    pub run_as_username: String,
    pub readonly_rootfs: bool,
    pub supplemental_groups: Vec<i64>,
    pub no_new_privs: bool,
    pub masked_paths: Vec<String>,
    pub readonly_paths: Vec<String>,
    pub seccomp: Option<SecurityProfile>,
    pub apparmor: Option<SecurityProfile>,
    pub apparmor_profile: String,
    pub seccomp_profile_path: String,

}
Expand description

LinuxContainerSecurityContext holds linux security configuration that will be applied to a container.

Fields§

§capabilities: Option<Capability>

Capabilities to add or drop.

§privileged: bool

If set, run container in privileged mode. Privileged mode is incompatible with the following options. If privileged is set, the following features MAY have no effect:

  1. capabilities
  2. selinux_options
  3. seccomp
  4. apparmor

Privileged mode implies the following specific options are applied:

  1. All capabilities are added.
  2. Sensitive paths, such as kernel module paths within sysfs, are not masked.
  3. Any sysfs and procfs mounts are mounted RW.
  4. AppArmor confinement is not applied.
  5. Seccomp restrictions are not applied.
  6. The device cgroup does not restrict access to any devices.
  7. All devices from the host’s /dev are available within the container.
  8. SELinux restrictions are not applied (e.g. label=disabled).
§namespace_options: Option<NamespaceOption>

Configurations for the container’s namespaces. Only used if the container uses namespace for isolation.

§selinux_options: Option<SeLinuxOption>

SELinux context to be optionally applied.

§run_as_user: Option<Int64Value>

UID to run the container process as. Only one of run_as_user and run_as_username can be specified at a time.

§run_as_group: Option<Int64Value>

GID to run the container process as. run_as_group should only be specified when run_as_user or run_as_username is specified; otherwise, the runtime MUST error.

§run_as_username: String

User name to run the container process as. If specified, the user MUST exist in the container image (i.e. in the /etc/passwd inside the image), and be resolved there by the runtime; otherwise, the runtime MUST error.

§readonly_rootfs: bool

If set, the root filesystem of the container is read-only.

§supplemental_groups: Vec<i64>

List of groups applied to the first process run in the container, in addition to the container’s primary GID.

§no_new_privs: bool

no_new_privs defines if the flag for no_new_privs should be set on the container.

§masked_paths: Vec<String>

masked_paths is a slice of paths that should be masked by the container runtime, this can be passed directly to the OCI spec.

§readonly_paths: Vec<String>

readonly_paths is a slice of paths that should be set as readonly by the container runtime, this can be passed directly to the OCI spec.

§seccomp: Option<SecurityProfile>

Seccomp profile for the container.

§apparmor: Option<SecurityProfile>

AppArmor profile for the container.

§apparmor_profile: String
👎Deprecated

AppArmor profile for the container, candidate values are:

§seccomp_profile_path: String
👎Deprecated

Seccomp profile for the container, candidate values are:

  • runtime/default: the default profile for the container runtime
  • unconfined: unconfined profile, ie, no seccomp sandboxing
  • localhost/: the profile installed on the node. is the full path of the profile. Default: “”, which is identical with unconfined.

Trait Implementations§

Source§

impl Clone for LinuxContainerSecurityContext

Source§

fn clone(&self) -> LinuxContainerSecurityContext

Returns a duplicate of the value. Read more
1.0.0 · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for LinuxContainerSecurityContext

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for LinuxContainerSecurityContext

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl<'de> Deserialize<'de> for LinuxContainerSecurityContext

Source§

fn deserialize<__D>(__deserializer: __D) -> Result<Self, __D::Error>
where __D: Deserializer<'de>,

Deserialize this value from the given Serde deserializer. Read more
Source§

impl Message for LinuxContainerSecurityContext

Source§

fn encoded_len(&self) -> usize

Returns the encoded length of the message without a length delimiter.
Source§

fn clear(&mut self)

Clears the message, resetting all fields to their default.
Source§

fn encode(&self, buf: &mut impl BufMut) -> Result<(), EncodeError>
where Self: Sized,

Encodes the message to a buffer. Read more
Source§

fn encode_to_vec(&self) -> Vec<u8>
where Self: Sized,

Encodes the message to a newly allocated buffer.
Source§

fn encode_length_delimited( &self, buf: &mut impl BufMut, ) -> Result<(), EncodeError>
where Self: Sized,

Encodes the message with a length-delimiter to a buffer. Read more
Source§

fn encode_length_delimited_to_vec(&self) -> Vec<u8>
where Self: Sized,

Encodes the message with a length-delimiter to a newly allocated buffer.
Source§

fn decode(buf: impl Buf) -> Result<Self, DecodeError>
where Self: Default,

Decodes an instance of the message from a buffer. Read more
Source§

fn decode_length_delimited(buf: impl Buf) -> Result<Self, DecodeError>
where Self: Default,

Decodes a length-delimited instance of the message from the buffer.
Source§

fn merge(&mut self, buf: impl Buf) -> Result<(), DecodeError>
where Self: Sized,

Decodes an instance of the message from a buffer, and merges it into self. Read more
Source§

fn merge_length_delimited(&mut self, buf: impl Buf) -> Result<(), DecodeError>
where Self: Sized,

Decodes a length-delimited instance of the message from buffer, and merges it into self.
Source§

impl PartialEq for LinuxContainerSecurityContext

Source§

fn eq(&self, other: &LinuxContainerSecurityContext) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl Serialize for LinuxContainerSecurityContext

Source§

fn serialize<__S>(&self, __serializer: __S) -> Result<__S::Ok, __S::Error>
where __S: Serializer,

Serialize this value into the given Serde serializer. Read more
Source§

impl StructuralPartialEq for LinuxContainerSecurityContext

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T> FromRef<T> for T
where T: Clone,

Source§

fn from_ref(input: &T) -> T

Converts to this type from a reference to the input type.
Source§

impl<T> Instrument for T

Source§

fn instrument(self, span: Span) -> Instrumented<Self>

Instruments this type with the provided Span, returning an Instrumented wrapper. Read more
Source§

fn in_current_span(self) -> Instrumented<Self>

Instruments this type with the current Span, returning an Instrumented wrapper. Read more
Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoRequest<T> for T

Source§

fn into_request(self) -> Request<T>

Wrap the input message T in a tonic::Request
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.
Source§

impl<T> WithSubscriber for T

Source§

fn with_subscriber<S>(self, subscriber: S) -> WithDispatch<Self>
where S: Into<Dispatch>,

Attaches the provided Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

fn with_current_subscriber(self) -> WithDispatch<Self>

Attaches the current default Subscriber to this type, returning a WithDispatch wrapper. Read more
Source§

impl<T> DeserializeOwned for T
where T: for<'de> Deserialize<'de>,