Skip to main content

LinuxSandboxSecurityContext

shimkit_types::cri

Struct LinuxSandboxSecurityContext 

Source 
pub struct LinuxSandboxSecurityContext {
    pub namespace_options: Option<NamespaceOption>,
    pub selinux_options: Option<SeLinuxOption>,
    pub run_as_user: Option<Int64Value>,
    pub run_as_group: Option<Int64Value>,
    pub readonly_rootfs: bool,
    pub supplemental_groups: Vec<i64>,
    pub supplemental_groups_policy: i32,
    pub privileged: bool,
    pub seccomp: Option<SecurityProfile>,
    pub apparmor: Option<SecurityProfile>,
    pub seccomp_profile_path: String,
}
Expand description

LinuxSandboxSecurityContext holds linux security configuration that will be applied to a sandbox. Note that:

  1. It does not apply to containers in the pods.
  2. It may not be applicable to a PodSandbox which does not contain any running process.

Fields§

§namespace_options: Option<NamespaceOption>

Configurations for the sandbox’s namespaces. This will be used only if the PodSandbox uses namespace for isolation.

§selinux_options: Option<SeLinuxOption>

Optional SELinux context to be applied.

§run_as_user: Option<Int64Value>

UID to run sandbox processes as, when applicable.

§run_as_group: Option<Int64Value>

GID to run sandbox processes as, when applicable. run_as_group should only be specified when run_as_user is specified; otherwise, the runtime MUST error.

§readonly_rootfs: bool

If set, the root filesystem of the sandbox is read-only.

§supplemental_groups: Vec<i64>

List of groups applied to the first process run in each container. supplemental_groups_policy can control how groups will be calculated.

§supplemental_groups_policy: i32

supplemental_groups_policy defines how supplemental groups of the first container processes are calculated. Valid values are “Merge” and “Strict”. If not specified, “Merge” is used.

§privileged: bool

Indicates whether the sandbox will be asked to run a privileged container. If a privileged container is to be executed within it, this MUST be true. This allows a sandbox to take additional security precautions if no privileged containers are expected to be run.

§seccomp: Option<SecurityProfile>

Seccomp profile for the sandbox.

§apparmor: Option<SecurityProfile>

AppArmor profile for the sandbox.

§seccomp_profile_path: String
👎Deprecated

Seccomp profile for the sandbox, candidate values are:

  • runtime/default: the default profile for the container runtime
  • unconfined: unconfined profile, ie, no seccomp sandboxing
  • localhost/: the profile installed on the node. is the full path of the profile. Default: “”, which is identical with unconfined.

Implementations§

Source§

impl LinuxSandboxSecurityContext

Source

pub fn supplemental_groups_policy(&self) -> SupplementalGroupsPolicy

Returns the enum value of supplemental_groups_policy, or the default if the field is set to an invalid enum value.

Source

pub fn set_supplemental_groups_policy( &mut self, value: SupplementalGroupsPolicy, )

Sets supplemental_groups_policy to the provided enum value.

Trait Implementations§

Source§

impl Clone for LinuxSandboxSecurityContext

Source§

fn clone(&self) -> LinuxSandboxSecurityContext

Returns a duplicate of the value. Read more
1.0.0 (const: unstable) · Source§

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source. Read more
Source§

impl Debug for LinuxSandboxSecurityContext

Source§

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter. Read more
Source§

impl Default for LinuxSandboxSecurityContext

Source§

fn default() -> Self

Returns the “default value” for a type. Read more
Source§

impl Message for LinuxSandboxSecurityContext

Source§

fn encoded_len(&self) -> usize

Returns the encoded length of the message without a length delimiter.
Source§

fn clear(&mut self)

Clears the message, resetting all fields to their default.
Source§

fn encode(&self, buf: &mut impl BufMut) -> Result<(), EncodeError>
where Self: Sized,

Encodes the message to a buffer. Read more
Source§

fn encode_to_vec(&self) -> Vec<u8>
where Self: Sized,

Encodes the message to a newly allocated buffer.
Source§

fn encode_length_delimited( &self, buf: &mut impl BufMut, ) -> Result<(), EncodeError>
where Self: Sized,

Encodes the message with a length-delimiter to a buffer. Read more
Source§

fn encode_length_delimited_to_vec(&self) -> Vec<u8>
where Self: Sized,

Encodes the message with a length-delimiter to a newly allocated buffer.
Source§

fn decode(buf: impl Buf) -> Result<Self, DecodeError>
where Self: Default,

Decodes an instance of the message from a buffer. Read more
Source§

fn decode_length_delimited(buf: impl Buf) -> Result<Self, DecodeError>
where Self: Default,

Decodes a length-delimited instance of the message from the buffer.
Source§

fn merge(&mut self, buf: impl Buf) -> Result<(), DecodeError>
where Self: Sized,

Decodes an instance of the message from a buffer, and merges it into self. Read more
Source§

fn merge_length_delimited(&mut self, buf: impl Buf) -> Result<(), DecodeError>
where Self: Sized,

Decodes a length-delimited instance of the message from buffer, and merges it into self.
Source§

impl Name for LinuxSandboxSecurityContext

Source§

const NAME: &'static str = "LinuxSandboxSecurityContext"

Simple name for this Message. This name is the same as it appears in the source .proto file, e.g. FooBar.
Source§

const PACKAGE: &'static str = "runtime.v1"

Package name this message type is contained in. They are domain-like and delimited by ., e.g. google.protobuf.
Source§

fn full_name() -> String

Fully-qualified unique name for this Message. It’s prefixed with the package name and names of any parent messages, e.g. google.rpc.BadRequest.FieldViolation. By default, this is the package name followed by the message name. Fully-qualified names must be unique within a domain of Type URLs.
Source§

fn type_url() -> String

Type URL for this Message, which by default is the full name with a leading slash, but may also include a leading domain name, e.g. type.googleapis.com/google.profile.Person. This can be used when serializing into the google.protobuf.Any type.
Source§

impl PartialEq for LinuxSandboxSecurityContext

Source§

fn eq(&self, other: &LinuxSandboxSecurityContext) -> bool

Tests for self and other values to be equal, and is used by ==.
1.0.0 (const: unstable) · Source§

fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.
Source§

impl StructuralPartialEq for LinuxSandboxSecurityContext

Auto Trait Implementations§

Blanket Implementations§

Source§

impl<T> Any for T
where T: 'static + ?Sized,

Source§

fn type_id(&self) -> TypeId

Gets the TypeId of self. Read more
Source§

impl<T> Borrow<T> for T
where T: ?Sized,

Source§

fn borrow(&self) -> &T

Immutably borrows from an owned value. Read more
Source§

impl<T> BorrowMut<T> for T
where T: ?Sized,

Source§

fn borrow_mut(&mut self) -> &mut T

Mutably borrows from an owned value. Read more
Source§

impl<T> CloneToUninit for T
where T: Clone,

Source§

unsafe fn clone_to_uninit(&self, dest: *mut u8)

🔬This is a nightly-only experimental API. (clone_to_uninit)
Performs copy-assignment from self to dest. Read more
Source§

impl<T> From<T> for T

Source§

fn from(t: T) -> T

Returns the argument unchanged.

Source§

impl<T, U> Into<U> for T
where U: From<T>,

Source§

fn into(self) -> U

Calls U::from(self).

That is, this conversion is whatever the implementation of From<T> for U chooses to do.

Source§

impl<T> IntoEither for T

Source§

fn into_either(self, into_left: bool) -> Either<Self, Self>

Converts self into a Left variant of Either<Self, Self> if into_left is true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

fn into_either_with<F>(self, into_left: F) -> Either<Self, Self>
where F: FnOnce(&Self) -> bool,

Converts self into a Left variant of Either<Self, Self> if into_left(&self) returns true. Converts self into a Right variant of Either<Self, Self> otherwise. Read more
Source§

impl<T> ToOwned for T
where T: Clone,

Source§

type Owned = T

The resulting type after obtaining ownership.
Source§

fn to_owned(&self) -> T

Creates owned data from borrowed data, usually by cloning. Read more
Source§

fn clone_into(&self, target: &mut T)

Uses borrowed data to replace owned data, usually by cloning. Read more
Source§

impl<T, U> TryFrom<U> for T
where U: Into<T>,

Source§

type Error = Infallible

The type returned in the event of a conversion error.
Source§

fn try_from(value: U) -> Result<T, <T as TryFrom<U>>::Error>

Performs the conversion.
Source§

impl<T, U> TryInto<U> for T
where U: TryFrom<T>,

Source§

type Error = <U as TryFrom<T>>::Error

The type returned in the event of a conversion error.
Source§

fn try_into(self) -> Result<U, <U as TryFrom<T>>::Error>

Performs the conversion.