Class PodSecurityPolicySpec
- java.lang.Object
-
- com.marcnuri.yakc.model.io.k8s.api.extensions.v1beta1.PodSecurityPolicySpec
-
- All Implemented Interfaces:
com.marcnuri.yakc.model.Model
public class PodSecurityPolicySpec extends java.lang.Object implements com.marcnuri.yakc.model.Model
PodSecurityPolicySpec defines the policy enforced. Deprecated: use PodSecurityPolicySpec from policy API Group instead.
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description static class
PodSecurityPolicySpec.Builder
-
Constructor Summary
Constructors Constructor Description PodSecurityPolicySpec()
PodSecurityPolicySpec(java.lang.Boolean allowPrivilegeEscalation, java.util.List<AllowedCSIDriver> allowedCSIDrivers, java.util.List<java.lang.String> allowedCapabilities, java.util.List<AllowedFlexVolume> allowedFlexVolumes, java.util.List<AllowedHostPath> allowedHostPaths, java.util.List<java.lang.String> allowedProcMountTypes, java.util.List<java.lang.String> allowedUnsafeSysctls, java.util.List<java.lang.String> defaultAddCapabilities, java.lang.Boolean defaultAllowPrivilegeEscalation, java.util.List<java.lang.String> forbiddenSysctls, @NonNull FSGroupStrategyOptions fsGroup, java.lang.Boolean hostIPC, java.lang.Boolean hostNetwork, java.lang.Boolean hostPID, java.util.List<HostPortRange> hostPorts, java.lang.Boolean privileged, java.lang.Boolean readOnlyRootFilesystem, java.util.List<java.lang.String> requiredDropCapabilities, RunAsGroupStrategyOptions runAsGroup, @NonNull RunAsUserStrategyOptions runAsUser, RuntimeClassStrategyOptions runtimeClass, @NonNull SELinuxStrategyOptions seLinux, @NonNull SupplementalGroupsStrategyOptions supplementalGroups, java.util.List<java.lang.String> volumes)
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description static PodSecurityPolicySpec.Builder
builder()
protected boolean
canEqual(java.lang.Object other)
boolean
equals(java.lang.Object o)
java.util.List<java.lang.String>
getAllowedCapabilities()
allowedCapabilities is a list of capabilities that can be requested to add to the container.java.util.List<AllowedCSIDriver>
getAllowedCSIDrivers()
AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.java.util.List<AllowedFlexVolume>
getAllowedFlexVolumes()
allowedFlexVolumes is a whitelist of allowed Flexvolumes.java.util.List<AllowedHostPath>
getAllowedHostPaths()
allowedHostPaths is a white list of allowed host paths.java.util.List<java.lang.String>
getAllowedProcMountTypes()
AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.java.util.List<java.lang.String>
getAllowedUnsafeSysctls()
allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.java.lang.Boolean
getAllowPrivilegeEscalation()
allowPrivilegeEscalation determines if a pod can request to allow privilege escalation.java.util.List<java.lang.String>
getDefaultAddCapabilities()
defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.java.lang.Boolean
getDefaultAllowPrivilegeEscalation()
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.java.util.List<java.lang.String>
getForbiddenSysctls()
forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.@NonNull FSGroupStrategyOptions
getFsGroup()
java.lang.Boolean
getHostIPC()
hostIPC determines if the policy allows the use of HostIPC in the pod spec.java.lang.Boolean
getHostNetwork()
hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.java.lang.Boolean
getHostPID()
hostPID determines if the policy allows the use of HostPID in the pod spec.java.util.List<HostPortRange>
getHostPorts()
hostPorts determines which host port ranges are allowed to be exposed.java.lang.Boolean
getPrivileged()
privileged determines if a pod can request to be run as privileged.java.lang.Boolean
getReadOnlyRootFilesystem()
readOnlyRootFilesystem when set to true will force containers to run with a read only root file system.java.util.List<java.lang.String>
getRequiredDropCapabilities()
requiredDropCapabilities are the capabilities that will be dropped from the container.RunAsGroupStrategyOptions
getRunAsGroup()
@NonNull RunAsUserStrategyOptions
getRunAsUser()
RuntimeClassStrategyOptions
getRuntimeClass()
@NonNull SELinuxStrategyOptions
getSeLinux()
@NonNull SupplementalGroupsStrategyOptions
getSupplementalGroups()
java.util.List<java.lang.String>
getVolumes()
volumes is a white list of allowed volume plugins.int
hashCode()
void
setAllowedCapabilities(java.util.List<java.lang.String> allowedCapabilities)
allowedCapabilities is a list of capabilities that can be requested to add to the container.void
setAllowedCSIDrivers(java.util.List<AllowedCSIDriver> allowedCSIDrivers)
AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.void
setAllowedFlexVolumes(java.util.List<AllowedFlexVolume> allowedFlexVolumes)
allowedFlexVolumes is a whitelist of allowed Flexvolumes.void
setAllowedHostPaths(java.util.List<AllowedHostPath> allowedHostPaths)
allowedHostPaths is a white list of allowed host paths.void
setAllowedProcMountTypes(java.util.List<java.lang.String> allowedProcMountTypes)
AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.void
setAllowedUnsafeSysctls(java.util.List<java.lang.String> allowedUnsafeSysctls)
allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.void
setAllowPrivilegeEscalation(java.lang.Boolean allowPrivilegeEscalation)
allowPrivilegeEscalation determines if a pod can request to allow privilege escalation.void
setDefaultAddCapabilities(java.util.List<java.lang.String> defaultAddCapabilities)
defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability.void
setDefaultAllowPrivilegeEscalation(java.lang.Boolean defaultAllowPrivilegeEscalation)
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.void
setForbiddenSysctls(java.util.List<java.lang.String> forbiddenSysctls)
forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.void
setFsGroup(@NonNull FSGroupStrategyOptions fsGroup)
void
setHostIPC(java.lang.Boolean hostIPC)
hostIPC determines if the policy allows the use of HostIPC in the pod spec.void
setHostNetwork(java.lang.Boolean hostNetwork)
hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.void
setHostPID(java.lang.Boolean hostPID)
hostPID determines if the policy allows the use of HostPID in the pod spec.void
setHostPorts(java.util.List<HostPortRange> hostPorts)
hostPorts determines which host port ranges are allowed to be exposed.void
setPrivileged(java.lang.Boolean privileged)
privileged determines if a pod can request to be run as privileged.void
setReadOnlyRootFilesystem(java.lang.Boolean readOnlyRootFilesystem)
readOnlyRootFilesystem when set to true will force containers to run with a read only root file system.void
setRequiredDropCapabilities(java.util.List<java.lang.String> requiredDropCapabilities)
requiredDropCapabilities are the capabilities that will be dropped from the container.void
setRunAsGroup(RunAsGroupStrategyOptions runAsGroup)
void
setRunAsUser(@NonNull RunAsUserStrategyOptions runAsUser)
void
setRuntimeClass(RuntimeClassStrategyOptions runtimeClass)
void
setSeLinux(@NonNull SELinuxStrategyOptions seLinux)
void
setSupplementalGroups(@NonNull SupplementalGroupsStrategyOptions supplementalGroups)
void
setVolumes(java.util.List<java.lang.String> volumes)
volumes is a white list of allowed volume plugins.PodSecurityPolicySpec.Builder
toBuilder()
java.lang.String
toString()
-
-
-
Constructor Detail
-
PodSecurityPolicySpec
public PodSecurityPolicySpec(java.lang.Boolean allowPrivilegeEscalation, java.util.List<AllowedCSIDriver> allowedCSIDrivers, java.util.List<java.lang.String> allowedCapabilities, java.util.List<AllowedFlexVolume> allowedFlexVolumes, java.util.List<AllowedHostPath> allowedHostPaths, java.util.List<java.lang.String> allowedProcMountTypes, java.util.List<java.lang.String> allowedUnsafeSysctls, java.util.List<java.lang.String> defaultAddCapabilities, java.lang.Boolean defaultAllowPrivilegeEscalation, java.util.List<java.lang.String> forbiddenSysctls, @NonNull @NonNull FSGroupStrategyOptions fsGroup, java.lang.Boolean hostIPC, java.lang.Boolean hostNetwork, java.lang.Boolean hostPID, java.util.List<HostPortRange> hostPorts, java.lang.Boolean privileged, java.lang.Boolean readOnlyRootFilesystem, java.util.List<java.lang.String> requiredDropCapabilities, RunAsGroupStrategyOptions runAsGroup, @NonNull @NonNull RunAsUserStrategyOptions runAsUser, RuntimeClassStrategyOptions runtimeClass, @NonNull @NonNull SELinuxStrategyOptions seLinux, @NonNull @NonNull SupplementalGroupsStrategyOptions supplementalGroups, java.util.List<java.lang.String> volumes)
-
PodSecurityPolicySpec
public PodSecurityPolicySpec()
-
-
Method Detail
-
builder
public static PodSecurityPolicySpec.Builder builder()
-
toBuilder
public PodSecurityPolicySpec.Builder toBuilder()
-
getAllowPrivilegeEscalation
public java.lang.Boolean getAllowPrivilegeEscalation()
allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
-
getAllowedCSIDrivers
public java.util.List<AllowedCSIDriver> getAllowedCSIDrivers()
AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.
-
getAllowedCapabilities
public java.util.List<java.lang.String> getAllowedCapabilities()
allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
-
getAllowedFlexVolumes
public java.util.List<AllowedFlexVolume> getAllowedFlexVolumes()
allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
-
getAllowedHostPaths
public java.util.List<AllowedHostPath> getAllowedHostPaths()
allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
-
getAllowedProcMountTypes
public java.util.List<java.lang.String> getAllowedProcMountTypes()
AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
-
getAllowedUnsafeSysctls
public java.util.List<java.lang.String> getAllowedUnsafeSysctls()
allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
-
getDefaultAddCapabilities
public java.util.List<java.lang.String> getDefaultAddCapabilities()
defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
-
getDefaultAllowPrivilegeEscalation
public java.lang.Boolean getDefaultAllowPrivilegeEscalation()
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
-
getForbiddenSysctls
public java.util.List<java.lang.String> getForbiddenSysctls()
forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
-
getFsGroup
@NonNull public @NonNull FSGroupStrategyOptions getFsGroup()
-
getHostIPC
public java.lang.Boolean getHostIPC()
hostIPC determines if the policy allows the use of HostIPC in the pod spec.
-
getHostNetwork
public java.lang.Boolean getHostNetwork()
hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
-
getHostPID
public java.lang.Boolean getHostPID()
hostPID determines if the policy allows the use of HostPID in the pod spec.
-
getHostPorts
public java.util.List<HostPortRange> getHostPorts()
hostPorts determines which host port ranges are allowed to be exposed.
-
getPrivileged
public java.lang.Boolean getPrivileged()
privileged determines if a pod can request to be run as privileged.
-
getReadOnlyRootFilesystem
public java.lang.Boolean getReadOnlyRootFilesystem()
readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
-
getRequiredDropCapabilities
public java.util.List<java.lang.String> getRequiredDropCapabilities()
requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
-
getRunAsGroup
public RunAsGroupStrategyOptions getRunAsGroup()
-
getRunAsUser
@NonNull public @NonNull RunAsUserStrategyOptions getRunAsUser()
-
getRuntimeClass
public RuntimeClassStrategyOptions getRuntimeClass()
-
getSeLinux
@NonNull public @NonNull SELinuxStrategyOptions getSeLinux()
-
getSupplementalGroups
@NonNull public @NonNull SupplementalGroupsStrategyOptions getSupplementalGroups()
-
getVolumes
public java.util.List<java.lang.String> getVolumes()
volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
-
setAllowPrivilegeEscalation
public void setAllowPrivilegeEscalation(java.lang.Boolean allowPrivilegeEscalation)
allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
-
setAllowedCSIDrivers
public void setAllowedCSIDrivers(java.util.List<AllowedCSIDriver> allowedCSIDrivers)
AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is an alpha field, and is only honored if the API server enables the CSIInlineVolume feature gate.
-
setAllowedCapabilities
public void setAllowedCapabilities(java.util.List<java.lang.String> allowedCapabilities)
allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
-
setAllowedFlexVolumes
public void setAllowedFlexVolumes(java.util.List<AllowedFlexVolume> allowedFlexVolumes)
allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
-
setAllowedHostPaths
public void setAllowedHostPaths(java.util.List<AllowedHostPath> allowedHostPaths)
allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
-
setAllowedProcMountTypes
public void setAllowedProcMountTypes(java.util.List<java.lang.String> allowedProcMountTypes)
AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
-
setAllowedUnsafeSysctls
public void setAllowedUnsafeSysctls(java.util.List<java.lang.String> allowedUnsafeSysctls)
allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
-
setDefaultAddCapabilities
public void setDefaultAddCapabilities(java.util.List<java.lang.String> defaultAddCapabilities)
defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
-
setDefaultAllowPrivilegeEscalation
public void setDefaultAllowPrivilegeEscalation(java.lang.Boolean defaultAllowPrivilegeEscalation)
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
-
setForbiddenSysctls
public void setForbiddenSysctls(java.util.List<java.lang.String> forbiddenSysctls)
forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
-
setFsGroup
public void setFsGroup(@NonNull @NonNull FSGroupStrategyOptions fsGroup)
-
setHostIPC
public void setHostIPC(java.lang.Boolean hostIPC)
hostIPC determines if the policy allows the use of HostIPC in the pod spec.
-
setHostNetwork
public void setHostNetwork(java.lang.Boolean hostNetwork)
hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
-
setHostPID
public void setHostPID(java.lang.Boolean hostPID)
hostPID determines if the policy allows the use of HostPID in the pod spec.
-
setHostPorts
public void setHostPorts(java.util.List<HostPortRange> hostPorts)
hostPorts determines which host port ranges are allowed to be exposed.
-
setPrivileged
public void setPrivileged(java.lang.Boolean privileged)
privileged determines if a pod can request to be run as privileged.
-
setReadOnlyRootFilesystem
public void setReadOnlyRootFilesystem(java.lang.Boolean readOnlyRootFilesystem)
readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
-
setRequiredDropCapabilities
public void setRequiredDropCapabilities(java.util.List<java.lang.String> requiredDropCapabilities)
requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
-
setRunAsGroup
public void setRunAsGroup(RunAsGroupStrategyOptions runAsGroup)
-
setRunAsUser
public void setRunAsUser(@NonNull @NonNull RunAsUserStrategyOptions runAsUser)
-
setRuntimeClass
public void setRuntimeClass(RuntimeClassStrategyOptions runtimeClass)
-
setSeLinux
public void setSeLinux(@NonNull @NonNull SELinuxStrategyOptions seLinux)
-
setSupplementalGroups
public void setSupplementalGroups(@NonNull @NonNull SupplementalGroupsStrategyOptions supplementalGroups)
-
setVolumes
public void setVolumes(java.util.List<java.lang.String> volumes)
volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
-
equals
public boolean equals(java.lang.Object o)
- Overrides:
equals
in classjava.lang.Object
-
canEqual
protected boolean canEqual(java.lang.Object other)
-
hashCode
public int hashCode()
- Overrides:
hashCode
in classjava.lang.Object
-
toString
public java.lang.String toString()
- Overrides:
toString
in classjava.lang.Object
-
-