1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 api-approved.openshift.io: https://github.com/openshift/api/pull/470
6 include.release.openshift.io/ibm-cloud-managed: "true"
7 include.release.openshift.io/self-managed-high-availability: "true"
8 include.release.openshift.io/single-node-developer: "true"
9 name: securitycontextconstraints.security.openshift.io
10spec:
11 group: security.openshift.io
12 names:
13 kind: SecurityContextConstraints
14 listKind: SecurityContextConstraintsList
15 plural: securitycontextconstraints
16 singular: securitycontextconstraints
17 scope: Cluster
18 versions:
19 - additionalPrinterColumns:
20 - description: Determines if a container can request to be run as privileged
21 jsonPath: .allowPrivilegedContainer
22 name: Priv
23 type: string
24 - description: A list of capabilities that can be requested to add to the container
25 jsonPath: .allowedCapabilities
26 name: Caps
27 type: string
28 - description: Strategy that will dictate what labels will be set in the SecurityContext
29 jsonPath: .seLinuxContext.type
30 name: SELinux
31 type: string
32 - description: Strategy that will dictate what RunAsUser is used in the SecurityContext
33 jsonPath: .runAsUser.type
34 name: RunAsUser
35 type: string
36 - description: Strategy that will dictate what fs group is used by the SecurityContext
37 jsonPath: .fsGroup.type
38 name: FSGroup
39 type: string
40 - description: Strategy that will dictate what supplemental groups are used by the SecurityContext
41 jsonPath: .supplementalGroups.type
42 name: SupGroup
43 type: string
44 - description: Sort order of SCCs
45 jsonPath: .priority
46 name: Priority
47 type: string
48 - description: Force containers to run with a read only root file system
49 jsonPath: .readOnlyRootFilesystem
50 name: ReadOnlyRootFS
51 type: string
52 - description: White list of allowed volume plugins
53 jsonPath: .volumes
54 name: Volumes
55 type: string
56 name: v1
57 schema:
58 openAPIV3Schema:
59 description: "SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)."
60 type: object
61 required:
62 - allowHostDirVolumePlugin
63 - allowHostIPC
64 - allowHostNetwork
65 - allowHostPID
66 - allowHostPorts
67 - allowPrivilegedContainer
68 - allowedCapabilities
69 - defaultAddCapabilities
70 - priority
71 - readOnlyRootFilesystem
72 - requiredDropCapabilities
73 - volumes
74 properties:
75 allowHostDirVolumePlugin:
76 description: AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
77 type: boolean
78 allowHostIPC:
79 description: AllowHostIPC determines if the policy allows host ipc in the containers.
80 type: boolean
81 allowHostNetwork:
82 description: AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
83 type: boolean
84 allowHostPID:
85 description: AllowHostPID determines if the policy allows host pid in the containers.
86 type: boolean
87 allowHostPorts:
88 description: AllowHostPorts determines if the policy allows host ports in the containers.
89 type: boolean
90 allowPrivilegeEscalation:
91 description: AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
92 type: boolean
93 nullable: true
94 allowPrivilegedContainer:
95 description: AllowPrivilegedContainer determines if a container can request to be run as privileged.
96 type: boolean
97 allowedCapabilities:
98 description: AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'.
99 type: array
100 items:
101 description: Capability represent POSIX capabilities type
102 type: string
103 nullable: true
104 allowedFlexVolumes:
105 description: AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field.
106 type: array
107 items:
108 description: AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
109 type: object
110 required:
111 - driver
112 properties:
113 driver:
114 description: Driver is the name of the Flexvolume driver.
115 type: string
116 nullable: true
117 allowedUnsafeSysctls:
118 description: "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. \n Examples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."
119 type: array
120 items:
121 type: string
122 nullable: true
123 apiVersion:
124 description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
125 type: string
126 defaultAddCapabilities:
127 description: DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.
128 type: array
129 items:
130 description: Capability represent POSIX capabilities type
131 type: string
132 nullable: true
133 defaultAllowPrivilegeEscalation:
134 description: DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
135 type: boolean
136 nullable: true
137 forbiddenSysctls:
138 description: "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. \n Examples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
139 type: array
140 items:
141 type: string
142 nullable: true
143 fsGroup:
144 description: FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
145 type: object
146 properties:
147 ranges:
148 description: Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end.
149 type: array
150 items:
151 description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.'
152 type: object
153 properties:
154 max:
155 description: Max is the end of the range, inclusive.
156 type: integer
157 format: int64
158 min:
159 description: Min is the start of the range, inclusive.
160 type: integer
161 format: int64
162 type:
163 description: Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
164 type: string
165 nullable: true
166 groups:
167 description: The groups that have permission to use this security context constraints
168 type: array
169 items:
170 type: string
171 nullable: true
172 kind:
173 description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
174 type: string
175 metadata:
176 type: object
177 priority:
178 description: Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name.
179 type: integer
180 format: int32
181 nullable: true
182 readOnlyRootFilesystem:
183 description: ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
184 type: boolean
185 requiredDropCapabilities:
186 description: RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
187 type: array
188 items:
189 description: Capability represent POSIX capabilities type
190 type: string
191 nullable: true
192 runAsUser:
193 description: RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
194 type: object
195 properties:
196 type:
197 description: Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
198 type: string
199 uid:
200 description: UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids.
201 type: integer
202 format: int64
203 uidRangeMax:
204 description: UIDRangeMax defines the max value for a strategy that allocates by range.
205 type: integer
206 format: int64
207 uidRangeMin:
208 description: UIDRangeMin defines the min value for a strategy that allocates by range.
209 type: integer
210 format: int64
211 nullable: true
212 seLinuxContext:
213 description: SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
214 type: object
215 properties:
216 seLinuxOptions:
217 description: seLinuxOptions required to run as; required for MustRunAs
218 type: object
219 properties:
220 level:
221 description: Level is SELinux level label that applies to the container.
222 type: string
223 role:
224 description: Role is a SELinux role label that applies to the container.
225 type: string
226 type:
227 description: Type is a SELinux type label that applies to the container.
228 type: string
229 user:
230 description: User is a SELinux user label that applies to the container.
231 type: string
232 type:
233 description: Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
234 type: string
235 nullable: true
236 seccompProfiles:
237 description: "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default."
238 type: array
239 items:
240 type: string
241 nullable: true
242 supplementalGroups:
243 description: SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
244 type: object
245 properties:
246 ranges:
247 description: Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end.
248 type: array
249 items:
250 description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.'
251 type: object
252 properties:
253 max:
254 description: Max is the end of the range, inclusive.
255 type: integer
256 format: int64
257 min:
258 description: Min is the start of the range, inclusive.
259 type: integer
260 format: int64
261 type:
262 description: Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
263 type: string
264 nullable: true
265 users:
266 description: The users who have permissions to use this security context constraints
267 type: array
268 items:
269 type: string
270 nullable: true
271 volumes:
272 description: Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"].
273 type: array
274 items:
275 description: FS Type gives strong typing to different file systems that are used by volumes.
276 type: string
277 nullable: true
278 served: true
279 storage: true
View as plain text