Struct k8s_openapi::v1_8::api::extensions::v1beta1::PodSecurityPolicySpec
source · pub struct PodSecurityPolicySpec {Show 17 fields
pub allow_privilege_escalation: Option<bool>,
pub allowed_capabilities: Option<Vec<String>>,
pub allowed_host_paths: Option<Vec<AllowedHostPath>>,
pub default_add_capabilities: Option<Vec<String>>,
pub default_allow_privilege_escalation: Option<bool>,
pub fs_group: FSGroupStrategyOptions,
pub host_ipc: Option<bool>,
pub host_network: Option<bool>,
pub host_pid: Option<bool>,
pub host_ports: Option<Vec<HostPortRange>>,
pub privileged: Option<bool>,
pub read_only_root_filesystem: Option<bool>,
pub required_drop_capabilities: Option<Vec<String>>,
pub run_as_user: RunAsUserStrategyOptions,
pub se_linux: SELinuxStrategyOptions,
pub supplemental_groups: SupplementalGroupsStrategyOptions,
pub volumes: Option<Vec<String>>,
}Expand description
Pod Security Policy Spec defines the policy enforced.
Fields§
§allow_privilege_escalation: Option<bool>AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
allowed_capabilities: Option<Vec<String>>AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author’s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
allowed_host_paths: Option<Vec<AllowedHostPath>>is a white list of allowed host paths. Empty indicates that all host paths may be used.
default_add_capabilities: Option<Vec<String>>DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.
default_allow_privilege_escalation: Option<bool>DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
fs_group: FSGroupStrategyOptionsFSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
host_ipc: Option<bool>hostIPC determines if the policy allows the use of HostIPC in the pod spec.
host_network: Option<bool>hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
host_pid: Option<bool>hostPID determines if the policy allows the use of HostPID in the pod spec.
host_ports: Option<Vec<HostPortRange>>hostPorts determines which host port ranges are allowed to be exposed.
privileged: Option<bool>privileged determines if a pod can request to be run as privileged.
read_only_root_filesystem: Option<bool>ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
required_drop_capabilities: Option<Vec<String>>RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
run_as_user: RunAsUserStrategyOptionsrunAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
se_linux: SELinuxStrategyOptionsseLinux is the strategy that will dictate the allowable labels that may be set.
supplemental_groups: SupplementalGroupsStrategyOptionsSupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
volumes: Option<Vec<String>>volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.
Trait Implementations§
source§impl Clone for PodSecurityPolicySpec
impl Clone for PodSecurityPolicySpec
source§fn clone(&self) -> PodSecurityPolicySpec
fn clone(&self) -> PodSecurityPolicySpec
1.0.0 · source§fn clone_from(&mut self, source: &Self)
fn clone_from(&mut self, source: &Self)
source. Read more