1 package v1 2 3 import ( 4 corev1 "k8s.io/api/core/v1" 5 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 6 ) 7 8 // AllowAllCapabilities can be used as a value for the 9 // SecurityContextConstraints.AllowAllCapabilities field and means that any 10 // capabilities are allowed to be requested. 11 var AllowAllCapabilities corev1.Capability = "*" 12 13 // +genclient 14 // +genclient:nonNamespaced 15 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 16 17 // SecurityContextConstraints governs the ability to make requests that affect the SecurityContext 18 // that will be applied to a container. 19 // For historical reasons SCC was exposed under the core Kubernetes API group. 20 // That exposure is deprecated and will be removed in a future release - users 21 // should instead use the security.openshift.io group to manage 22 // SecurityContextConstraints. 23 // 24 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 25 // +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged" 26 // +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container" 27 // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext" 28 // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" 29 // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext" 30 // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" 31 // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs" 32 // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system" 33 // +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins" 34 // +kubebuilder:singular=securitycontextconstraint 35 // +openshift:compatibility-gen:level=1 36 type SecurityContextConstraints struct { 37 metav1.TypeMeta `json:",inline"` 38 39 // metadata is the standard object's metadata. 40 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 41 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 42 43 // Priority influences the sort order of SCCs when evaluating which SCCs to try first for 44 // a given pod request based on access in the Users and Groups fields. The higher the int, the 45 // higher priority. An unset value is considered a 0 priority. If scores 46 // for multiple SCCs are equal they will be sorted from most restrictive to 47 // least restrictive. If both priorities and restrictions are equal the 48 // SCCs will be sorted by name. 49 // +nullable 50 Priority *int32 `json:"priority" protobuf:"varint,2,opt,name=priority"` 51 52 // AllowPrivilegedContainer determines if a container can request to be run as privileged. 53 AllowPrivilegedContainer bool `json:"allowPrivilegedContainer" protobuf:"varint,3,opt,name=allowPrivilegedContainer"` 54 // DefaultAddCapabilities is the default set of capabilities that will be added to the container 55 // unless the pod spec specifically drops the capability. You may not list a capabiility in both 56 // DefaultAddCapabilities and RequiredDropCapabilities. 57 // +nullable 58 DefaultAddCapabilities []corev1.Capability `json:"defaultAddCapabilities" protobuf:"bytes,4,rep,name=defaultAddCapabilities,casttype=Capability"` 59 // RequiredDropCapabilities are the capabilities that will be dropped from the container. These 60 // are required to be dropped and cannot be added. 61 // +nullable 62 RequiredDropCapabilities []corev1.Capability `json:"requiredDropCapabilities" protobuf:"bytes,5,rep,name=requiredDropCapabilities,casttype=Capability"` 63 // AllowedCapabilities is a list of capabilities that can be requested to add to the container. 64 // Capabilities in this field maybe added at the pod author's discretion. 65 // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. 66 // To allow all capabilities you may use '*'. 67 // +nullable 68 AllowedCapabilities []corev1.Capability `json:"allowedCapabilities" protobuf:"bytes,6,rep,name=allowedCapabilities,casttype=Capability"` 69 // AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin 70 // +k8s:conversion-gen=false 71 AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"` 72 // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names 73 // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". 74 // To allow no volumes, set to ["none"]. 75 // +nullable 76 Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"` 77 // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all 78 // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes 79 // is allowed in the "Volumes" field. 80 // +optional 81 // +nullable 82 AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,21,rep,name=allowedFlexVolumes"` 83 // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. 84 AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"` 85 // AllowHostPorts determines if the policy allows host ports in the containers. 86 AllowHostPorts bool `json:"allowHostPorts" protobuf:"varint,10,opt,name=allowHostPorts"` 87 // AllowHostPID determines if the policy allows host pid in the containers. 88 AllowHostPID bool `json:"allowHostPID" protobuf:"varint,11,opt,name=allowHostPID"` 89 // AllowHostIPC determines if the policy allows host ipc in the containers. 90 AllowHostIPC bool `json:"allowHostIPC" protobuf:"varint,12,opt,name=allowHostIPC"` 91 // DefaultAllowPrivilegeEscalation controls the default setting for whether a 92 // process can gain more privileges than its parent process. 93 // +optional 94 // +nullable 95 DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,22,rep,name=defaultAllowPrivilegeEscalation"` 96 // AllowPrivilegeEscalation determines if a pod can request to allow 97 // privilege escalation. If unspecified, defaults to true. 98 // +optional 99 // +nullable 100 AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,23,rep,name=allowPrivilegeEscalation"` 101 // SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. 102 // +nullable 103 SELinuxContext SELinuxContextStrategyOptions `json:"seLinuxContext,omitempty" protobuf:"bytes,13,opt,name=seLinuxContext"` 104 // RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. 105 // +nullable 106 RunAsUser RunAsUserStrategyOptions `json:"runAsUser,omitempty" protobuf:"bytes,14,opt,name=runAsUser"` 107 // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. 108 // +nullable 109 SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups,omitempty" protobuf:"bytes,15,opt,name=supplementalGroups"` 110 // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. 111 // +nullable 112 FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" protobuf:"bytes,16,opt,name=fsGroup"` 113 // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file 114 // system. If the container specifically requests to run with a non-read only root file system 115 // the SCC should deny the pod. 116 // If set to false the container may run with a read only root file system if it wishes but it 117 // will not be forced to. 118 ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem" protobuf:"varint,17,opt,name=readOnlyRootFilesystem"` 119 120 // The users who have permissions to use this security context constraints 121 // +optional 122 // +nullable 123 Users []string `json:"users" protobuf:"bytes,18,rep,name=users"` 124 // The groups that have permission to use this security context constraints 125 // +optional 126 // +nullable 127 Groups []string `json:"groups" protobuf:"bytes,19,rep,name=groups"` 128 129 // SeccompProfiles lists the allowed profiles that may be set for the pod or 130 // container's seccomp annotations. An unset (nil) or empty value means that no profiles may 131 // be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When 132 // used to generate a value for a pod the first non-wildcard profile will be used as 133 // the default. 134 // +nullable 135 SeccompProfiles []string `json:"seccompProfiles,omitempty" protobuf:"bytes,20,opt,name=seccompProfiles"` 136 137 // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. 138 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered 139 // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. 140 // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. 141 // 142 // Examples: 143 // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. 144 // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. 145 // +optional 146 // +nullable 147 AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,24,rep,name=allowedUnsafeSysctls"` 148 // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. 149 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered 150 // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. 151 // 152 // Examples: 153 // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. 154 // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. 155 // +optional 156 // +nullable 157 ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,25,rep,name=forbiddenSysctls"` 158 } 159 160 // FS Type gives strong typing to different file systems that are used by volumes. 161 type FSType string 162 163 var ( 164 FSTypeAzureFile FSType = "azureFile" 165 FSTypeAzureDisk FSType = "azureDisk" 166 FSTypeFlocker FSType = "flocker" 167 FSTypeFlexVolume FSType = "flexVolume" 168 FSTypeHostPath FSType = "hostPath" 169 FSTypeEmptyDir FSType = "emptyDir" 170 FSTypeGCEPersistentDisk FSType = "gcePersistentDisk" 171 FSTypeAWSElasticBlockStore FSType = "awsElasticBlockStore" 172 FSTypeGitRepo FSType = "gitRepo" 173 FSTypeSecret FSType = "secret" 174 FSTypeNFS FSType = "nfs" 175 FSTypeISCSI FSType = "iscsi" 176 FSTypeGlusterfs FSType = "glusterfs" 177 FSTypePersistentVolumeClaim FSType = "persistentVolumeClaim" 178 FSTypeRBD FSType = "rbd" 179 FSTypeCinder FSType = "cinder" 180 FSTypeCephFS FSType = "cephFS" 181 FSTypeDownwardAPI FSType = "downwardAPI" 182 FSTypeFC FSType = "fc" 183 FSTypeConfigMap FSType = "configMap" 184 FSTypeVsphereVolume FSType = "vsphere" 185 FSTypeQuobyte FSType = "quobyte" 186 FSTypePhotonPersistentDisk FSType = "photonPersistentDisk" 187 FSProjected FSType = "projected" 188 FSPortworxVolume FSType = "portworxVolume" 189 FSScaleIO FSType = "scaleIO" 190 FSStorageOS FSType = "storageOS" 191 FSTypeCSI FSType = "csi" 192 FSTypeEphemeral FSType = "ephemeral" 193 FSTypeAll FSType = "*" 194 FSTypeNone FSType = "none" 195 ) 196 197 // AllowedFlexVolume represents a single Flexvolume that is allowed to be used. 198 type AllowedFlexVolume struct { 199 // Driver is the name of the Flexvolume driver. 200 Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` 201 } 202 203 // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. 204 type SELinuxContextStrategyOptions struct { 205 // Type is the strategy that will dictate what SELinux context is used in the SecurityContext. 206 Type SELinuxContextStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=SELinuxContextStrategyType"` 207 // seLinuxOptions required to run as; required for MustRunAs 208 SELinuxOptions *corev1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` 209 } 210 211 // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. 212 type RunAsUserStrategyOptions struct { 213 // Type is the strategy that will dictate what RunAsUser is used in the SecurityContext. 214 Type RunAsUserStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsUserStrategyType"` 215 // UID is the user id that containers must run as. Required for the MustRunAs strategy if not using 216 // namespace/service account allocated uids. 217 UID *int64 `json:"uid,omitempty" protobuf:"varint,2,opt,name=uid"` 218 // UIDRangeMin defines the min value for a strategy that allocates by range. 219 UIDRangeMin *int64 `json:"uidRangeMin,omitempty" protobuf:"varint,3,opt,name=uidRangeMin"` 220 // UIDRangeMax defines the max value for a strategy that allocates by range. 221 UIDRangeMax *int64 `json:"uidRangeMax,omitempty" protobuf:"varint,4,opt,name=uidRangeMax"` 222 } 223 224 // FSGroupStrategyOptions defines the strategy type and options used to create the strategy. 225 type FSGroupStrategyOptions struct { 226 // Type is the strategy that will dictate what FSGroup is used in the SecurityContext. 227 Type FSGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=FSGroupStrategyType"` 228 // Ranges are the allowed ranges of fs groups. If you would like to force a single 229 // fs group then supply a single range with the same start and end. 230 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 231 } 232 233 // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. 234 type SupplementalGroupsStrategyOptions struct { 235 // Type is the strategy that will dictate what supplemental groups is used in the SecurityContext. 236 Type SupplementalGroupsStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=SupplementalGroupsStrategyType"` 237 // Ranges are the allowed ranges of supplemental groups. If you would like to force a single 238 // supplemental group then supply a single range with the same start and end. 239 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 240 } 241 242 // IDRange provides a min/max of an allowed range of IDs. 243 // TODO: this could be reused for UIDs. 244 type IDRange struct { 245 // Min is the start of the range, inclusive. 246 Min int64 `json:"min,omitempty" protobuf:"varint,1,opt,name=min"` 247 // Max is the end of the range, inclusive. 248 Max int64 `json:"max,omitempty" protobuf:"varint,2,opt,name=max"` 249 } 250 251 // SELinuxContextStrategyType denotes strategy types for generating SELinux options for a 252 // SecurityContext 253 type SELinuxContextStrategyType string 254 255 // RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a 256 // SecurityContext 257 type RunAsUserStrategyType string 258 259 // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental 260 // groups for a SecurityContext. 261 type SupplementalGroupsStrategyType string 262 263 // FSGroupStrategyType denotes strategy types for generating FSGroup values for a 264 // SecurityContext 265 type FSGroupStrategyType string 266 267 const ( 268 // container must have SELinux labels of X applied. 269 SELinuxStrategyMustRunAs SELinuxContextStrategyType = "MustRunAs" 270 // container may make requests for any SELinux context labels. 271 SELinuxStrategyRunAsAny SELinuxContextStrategyType = "RunAsAny" 272 273 // container must run as a particular uid. 274 RunAsUserStrategyMustRunAs RunAsUserStrategyType = "MustRunAs" 275 // container must run as a particular uid. 276 RunAsUserStrategyMustRunAsRange RunAsUserStrategyType = "MustRunAsRange" 277 // container must run as a non-root uid 278 RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategyType = "MustRunAsNonRoot" 279 // container may make requests for any uid. 280 RunAsUserStrategyRunAsAny RunAsUserStrategyType = "RunAsAny" 281 282 // container must have FSGroup of X applied. 283 FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" 284 // container may make requests for any FSGroup labels. 285 FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" 286 287 // container must run as a particular gid. 288 SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" 289 // container may make requests for any gid. 290 SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" 291 ) 292 293 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 294 295 // SecurityContextConstraintsList is a list of SecurityContextConstraints objects 296 // 297 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 298 // +openshift:compatibility-gen:level=1 299 type SecurityContextConstraintsList struct { 300 metav1.TypeMeta `json:",inline"` 301 302 // metadata is the standard list's metadata. 303 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 304 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 305 306 // List of security context constraints. 307 Items []SecurityContextConstraints `json:"items" protobuf:"bytes,2,rep,name=items"` 308 } 309 310 // +genclient 311 // +genclient:onlyVerbs=create 312 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 313 314 // PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec. 315 // 316 // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). 317 // +openshift:compatibility-gen:level=2 318 type PodSecurityPolicySubjectReview struct { 319 metav1.TypeMeta `json:",inline"` 320 321 // spec defines specification for the PodSecurityPolicySubjectReview. 322 Spec PodSecurityPolicySubjectReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` 323 324 // status represents the current information/status for the PodSecurityPolicySubjectReview. 325 Status PodSecurityPolicySubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` 326 } 327 328 // PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview 329 type PodSecurityPolicySubjectReviewSpec struct { 330 // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. 331 // If its non-empty, it will be checked. 332 Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"` 333 334 // user is the user you're testing for. 335 // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups. 336 // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template. 337 User string `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"` 338 339 // groups is the groups you're testing for. 340 Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"` 341 } 342 343 // PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. 344 type PodSecurityPolicySubjectReviewStatus struct { 345 // allowedBy is a reference to the rule that allows the PodTemplateSpec. 346 // A rule can be a SecurityContextConstraint or a PodSecurityPolicy 347 // A `nil`, indicates that it was denied. 348 AllowedBy *corev1.ObjectReference `json:"allowedBy,omitempty" protobuf:"bytes,1,opt,name=allowedBy"` 349 350 // A machine-readable description of why this operation is in the 351 // "Failure" status. If this value is empty there 352 // is no information available. 353 Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` 354 355 // template is the PodTemplateSpec after the defaulting is applied. 356 Template corev1.PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,3,opt,name=template"` 357 } 358 359 // +genclient 360 // +genclient:onlyVerbs=create 361 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 362 363 // PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec 364 // 365 // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). 366 // +openshift:compatibility-gen:level=2 367 type PodSecurityPolicySelfSubjectReview struct { 368 metav1.TypeMeta `json:",inline"` 369 370 // spec defines specification the PodSecurityPolicySelfSubjectReview. 371 Spec PodSecurityPolicySelfSubjectReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` 372 373 // status represents the current information/status for the PodSecurityPolicySelfSubjectReview. 374 Status PodSecurityPolicySubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` 375 } 376 377 // PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview. 378 type PodSecurityPolicySelfSubjectReviewSpec struct { 379 // template is the PodTemplateSpec to check. 380 Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"` 381 } 382 383 // +genclient 384 // +genclient:onlyVerbs=create 385 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 386 387 // PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question. 388 // 389 // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). 390 // +openshift:compatibility-gen:level=2 391 type PodSecurityPolicyReview struct { 392 metav1.TypeMeta `json:",inline"` 393 394 // spec is the PodSecurityPolicy to check. 395 Spec PodSecurityPolicyReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"` 396 397 // status represents the current information/status for the PodSecurityPolicyReview. 398 Status PodSecurityPolicyReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"` 399 } 400 401 // PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview 402 type PodSecurityPolicyReviewSpec struct { 403 // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used 404 // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, 405 // in which case "default" is used. 406 // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. 407 Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"` 408 409 // serviceAccountNames is an optional set of ServiceAccounts to run the check with. 410 // If serviceAccountNames is empty, the template.spec.serviceAccountName is used, 411 // unless it's empty, in which case "default" is used instead. 412 // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. 413 ServiceAccountNames []string `json:"serviceAccountNames,omitempty" protobuf:"bytes,2,rep,name=serviceAccountNames"` // TODO: find a way to express 'all service accounts' 414 } 415 416 // PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview. 417 type PodSecurityPolicyReviewStatus struct { 418 // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec. 419 AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus `json:"allowedServiceAccounts" protobuf:"bytes,1,rep,name=allowedServiceAccounts"` 420 } 421 422 // ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status 423 type ServiceAccountPodSecurityPolicyReviewStatus struct { 424 PodSecurityPolicySubjectReviewStatus `json:",inline" protobuf:"bytes,1,opt,name=podSecurityPolicySubjectReviewStatus"` 425 426 // name contains the allowed and the denied ServiceAccount name 427 Name string `json:"name" protobuf:"bytes,2,opt,name=name"` 428 } 429 430 // +genclient 431 // +genclient:nonNamespaced 432 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 433 434 // RangeAllocation is used so we can easily expose a RangeAllocation typed for security group 435 // 436 // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. 437 // +openshift:compatibility-gen:level=4 438 type RangeAllocation struct { 439 metav1.TypeMeta `json:",inline"` 440 441 // metadata is the standard object's metadata. 442 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 443 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 444 445 // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000". 446 Range string `json:"range" protobuf:"bytes,2,opt,name=range"` 447 448 // data is a byte array representing the serialized state of a range allocation. It is a bitmap 449 // with each bit set to one to represent a range is taken. 450 Data []byte `json:"data" protobuf:"bytes,3,opt,name=data"` 451 } 452 453 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 454 455 // RangeAllocationList is a list of RangeAllocations objects 456 // 457 // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 458 // +openshift:compatibility-gen:level=1 459 type RangeAllocationList struct { 460 metav1.TypeMeta `json:",inline"` 461 462 // metadata is the standard list's metadata. 463 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 464 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 465 466 // List of RangeAllocations. 467 Items []RangeAllocation `json:"items" protobuf:"bytes,2,rep,name=items"` 468 } 469