mirrors/ceph-csi
1
0
Fork 0
mirror of https://github.com/ceph/ceph-csi.git synced 2025-06-13 10:33:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

build: add yamlgen to build deployment files

Browse Source 
This initial version of yamlgen generates deploy/scc.yaml based on the
deployment artifact that is provided by the new api/deploy/ocp package.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
This commit is contained in:
Niels de Vos
2021-10-01 14:08:56 +02:00
committed by mergify[bot]
parent 36e099d939
commit 5ea99fdd5b
32 changed files with 8850 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

191
vendor/github.com/openshift/api/LICENSE generated vendored Normal file
View File

@ -0,0 +1,191 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
Copyright 2020 Red Hat, Inc.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

279
vendor/github.com/openshift/api/security/v1/0000_03_security-openshift_01_scc.crd.yaml generated vendored Normal file
View File

@ -0,0 +1,279 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.openshift.io: https://github.com/openshift/api/pull/470
include.release.openshift.io/ibm-cloud-managed: "true"
include.release.openshift.io/self-managed-high-availability: "true"
include.release.openshift.io/single-node-developer: "true"
name: securitycontextconstraints.security.openshift.io
spec:
group: security.openshift.io
names:
kind: SecurityContextConstraints
listKind: SecurityContextConstraintsList
plural: securitycontextconstraints
singular: securitycontextconstraints
scope: Cluster
versions:
- additionalPrinterColumns:
- description: Determines if a container can request to be run as privileged
jsonPath: .allowPrivilegedContainer
name: Priv
type: string
- description: A list of capabilities that can be requested to add to the container
jsonPath: .allowedCapabilities
name: Caps
type: string
- description: Strategy that will dictate what labels will be set in the SecurityContext
jsonPath: .seLinuxContext.type
name: SELinux
type: string
- description: Strategy that will dictate what RunAsUser is used in the SecurityContext
jsonPath: .runAsUser.type
name: RunAsUser
type: string
- description: Strategy that will dictate what fs group is used by the SecurityContext
jsonPath: .fsGroup.type
name: FSGroup
type: string
- description: Strategy that will dictate what supplemental groups are used by the SecurityContext
jsonPath: .supplementalGroups.type
name: SupGroup
type: string
- description: Sort order of SCCs
jsonPath: .priority
name: Priority
type: string
- description: Force containers to run with a read only root file system
jsonPath: .readOnlyRootFilesystem
name: ReadOnlyRootFS
type: string
- description: White list of allowed volume plugins
jsonPath: .volumes
name: Volumes
type: string
name: v1
schema:
openAPIV3Schema:
description: "SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints. \n Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer)."
type: object
required:
- allowHostDirVolumePlugin
- allowHostIPC
- allowHostNetwork
- allowHostPID
- allowHostPorts
- allowPrivilegedContainer
- allowedCapabilities
- defaultAddCapabilities
- priority
- readOnlyRootFilesystem
- requiredDropCapabilities
- volumes
properties:
allowHostDirVolumePlugin:
description: AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
type: boolean
allowHostIPC:
description: AllowHostIPC determines if the policy allows host ipc in the containers.
type: boolean
allowHostNetwork:
description: AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
type: boolean
allowHostPID:
description: AllowHostPID determines if the policy allows host pid in the containers.
type: boolean
allowHostPorts:
description: AllowHostPorts determines if the policy allows host ports in the containers.
type: boolean
allowPrivilegeEscalation:
description: AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
type: boolean
nullable: true
allowPrivilegedContainer:
description: AllowPrivilegedContainer determines if a container can request to be run as privileged.
type: boolean
allowedCapabilities:
description: AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'.
type: array
items:
description: Capability represent POSIX capabilities type
type: string
nullable: true
allowedFlexVolumes:
description: AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field.
type: array
items:
description: AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
type: object
required:
- driver
properties:
driver:
description: Driver is the name of the Flexvolume driver.
type: string
nullable: true
allowedUnsafeSysctls:
description: "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. \n Examples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc."
type: array
items:
type: string
nullable: true
apiVersion:
description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
defaultAddCapabilities:
description: DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.
type: array
items:
description: Capability represent POSIX capabilities type
type: string
nullable: true
defaultAllowPrivilegeEscalation:
description: DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
type: boolean
nullable: true
forbiddenSysctls:
description: "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. \n Examples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc."
type: array
items:
type: string
nullable: true
fsGroup:
description: FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
type: object
properties:
ranges:
description: Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end.
type: array
items:
description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.'
type: object
properties:
max:
description: Max is the end of the range, inclusive.
type: integer
format: int64
min:
description: Min is the start of the range, inclusive.
type: integer
format: int64
type:
description: Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
type: string
nullable: true
groups:
description: The groups that have permission to use this security context constraints
type: array
items:
type: string
nullable: true
kind:
description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
priority:
description: Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name.
type: integer
format: int32
nullable: true
readOnlyRootFilesystem:
description: ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
type: boolean
requiredDropCapabilities:
description: RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
type: array
items:
description: Capability represent POSIX capabilities type
type: string
nullable: true
runAsUser:
description: RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
type: object
properties:
type:
description: Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
type: string
uid:
description: UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids.
type: integer
format: int64
uidRangeMax:
description: UIDRangeMax defines the max value for a strategy that allocates by range.
type: integer
format: int64
uidRangeMin:
description: UIDRangeMin defines the min value for a strategy that allocates by range.
type: integer
format: int64
nullable: true
seLinuxContext:
description: SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
type: object
properties:
seLinuxOptions:
description: seLinuxOptions required to run as; required for MustRunAs
type: object
properties:
level:
description: Level is SELinux level label that applies to the container.
type: string
role:
description: Role is a SELinux role label that applies to the container.
type: string
type:
description: Type is a SELinux type label that applies to the container.
type: string
user:
description: User is a SELinux user label that applies to the container.
type: string
type:
description: Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
type: string
nullable: true
seccompProfiles:
description: "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default."
type: array
items:
type: string
nullable: true
supplementalGroups:
description: SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
type: object
properties:
ranges:
description: Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end.
type: array
items:
description: 'IDRange provides a min/max of an allowed range of IDs. TODO: this could be reused for UIDs.'
type: object
properties:
max:
description: Max is the end of the range, inclusive.
type: integer
format: int64
min:
description: Min is the start of the range, inclusive.
type: integer
format: int64
type:
description: Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
type: string
nullable: true
users:
description: The users who have permissions to use this security context constraints
type: array
items:
type: string
nullable: true
volumes:
description: Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"].
type: array
items:
description: FS Type gives strong typing to different file systems that are used by volumes.
type: string
nullable: true
served: true
storage: true

10
vendor/github.com/openshift/api/security/v1/consts.go generated vendored Normal file
View File

@ -0,0 +1,10 @@
package v1
const (
UIDRangeAnnotation = "openshift.io/sa.scc.uid-range"
// SupplementalGroupsAnnotation contains a comma delimited list of allocated supplemental groups
// for the namespace. Groups are in the form of a Block which supports {start}/{length} or {start}-{end}
SupplementalGroupsAnnotation = "openshift.io/sa.scc.supplemental-groups"
MCSAnnotation = "openshift.io/sa.scc.mcs"
ValidatedSCCAnnotation = "openshift.io/scc"
)

8
vendor/github.com/openshift/api/security/v1/doc.go generated vendored Normal file
View File

@ -0,0 +1,8 @@
// +k8s:deepcopy-gen=package,register
// +k8s:conversion-gen=github.com/openshift/origin/pkg/security/apis/security
// +k8s:defaulter-gen=TypeMeta
// +k8s:openapi-gen=true
// +groupName=security.openshift.io
// Package v1 is the v1 version of the API.
package v1

5283
vendor/github.com/openshift/api/security/v1/generated.pb.go generated vendored Normal file
View File

File diff suppressed because it is too large Load Diff

372
vendor/github.com/openshift/api/security/v1/generated.proto generated vendored Normal file
View File

@ -0,0 +1,372 @@
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = "proto2";
package github.com.openshift.api.security.v1;
import "k8s.io/api/core/v1/generated.proto";
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "v1";
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
message AllowedFlexVolume {
// Driver is the name of the Flexvolume driver.
optional string driver = 1;
}
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
message FSGroupStrategyOptions {
// Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
optional string type = 1;
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end.
repeated IDRange ranges = 2;
}
// IDRange provides a min/max of an allowed range of IDs.
// TODO: this could be reused for UIDs.
message IDRange {
// Min is the start of the range, inclusive.
optional int64 min = 1;
// Max is the end of the range, inclusive.
optional int64 max = 2;
}
// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message PodSecurityPolicyReview {
// spec is the PodSecurityPolicy to check.
optional PodSecurityPolicyReviewSpec spec = 1;
// status represents the current information/status for the PodSecurityPolicyReview.
optional PodSecurityPolicyReviewStatus status = 2;
}
// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
message PodSecurityPolicyReviewSpec {
// template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used
// if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty,
// in which case "default" is used.
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
// serviceAccountNames is an optional set of ServiceAccounts to run the check with.
// If serviceAccountNames is empty, the template.spec.serviceAccountName is used,
// unless it's empty, in which case "default" is used instead.
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
repeated string serviceAccountNames = 2;
}
// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
message PodSecurityPolicyReviewStatus {
// allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1;
}
// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message PodSecurityPolicySelfSubjectReview {
// spec defines specification the PodSecurityPolicySelfSubjectReview.
optional PodSecurityPolicySelfSubjectReviewSpec spec = 1;
// status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
optional PodSecurityPolicySubjectReviewStatus status = 2;
}
// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
message PodSecurityPolicySelfSubjectReviewSpec {
// template is the PodTemplateSpec to check.
optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
}
// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message PodSecurityPolicySubjectReview {
// spec defines specification for the PodSecurityPolicySubjectReview.
optional PodSecurityPolicySubjectReviewSpec spec = 1;
// status represents the current information/status for the PodSecurityPolicySubjectReview.
optional PodSecurityPolicySubjectReviewStatus status = 2;
}
// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
message PodSecurityPolicySubjectReviewSpec {
// template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted.
// If its non-empty, it will be checked.
optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
// user is the user you're testing for.
// If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups.
// If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.
optional string user = 2;
// groups is the groups you're testing for.
repeated string groups = 3;
}
// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
message PodSecurityPolicySubjectReviewStatus {
// allowedBy is a reference to the rule that allows the PodTemplateSpec.
// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
// A `nil`, indicates that it was denied.
optional k8s.io.api.core.v1.ObjectReference allowedBy = 1;
// A machine-readable description of why this operation is in the
// "Failure" status. If this value is empty there
// is no information available.
optional string reason = 2;
// template is the PodTemplateSpec after the defaulting is applied.
optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
}
// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message RangeAllocation {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
optional string range = 2;
// data is a byte array representing the serialized state of a range allocation. It is a bitmap
// with each bit set to one to represent a range is taken.
optional bytes data = 3;
}
// RangeAllocationList is a list of RangeAllocations objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message RangeAllocationList {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// List of RangeAllocations.
repeated RangeAllocation items = 2;
}
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
message RunAsUserStrategyOptions {
// Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
optional string type = 1;
// UID is the user id that containers must run as. Required for the MustRunAs strategy if not using
// namespace/service account allocated uids.
optional int64 uid = 2;
// UIDRangeMin defines the min value for a strategy that allocates by range.
optional int64 uidRangeMin = 3;
// UIDRangeMax defines the max value for a strategy that allocates by range.
optional int64 uidRangeMax = 4;
}
// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
message SELinuxContextStrategyOptions {
// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
optional string type = 1;
// seLinuxOptions required to run as; required for MustRunAs
optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
}
// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
// that will be applied to a container.
// For historical reasons SCC was exposed under the core Kubernetes API group.
// That exposure is deprecated and will be removed in a future release - users
// should instead use the security.openshift.io group to manage
// SecurityContextConstraints.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged"
// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container"
// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext"
// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext"
// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs"
// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system"
// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins"
// +kubebuilder:singular=securitycontextconstraint
// +openshift:compatibility-gen:level=1
message SecurityContextConstraints {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// Priority influences the sort order of SCCs when evaluating which SCCs to try first for
// a given pod request based on access in the Users and Groups fields. The higher the int, the
// higher priority. An unset value is considered a 0 priority. If scores
// for multiple SCCs are equal they will be sorted from most restrictive to
// least restrictive. If both priorities and restrictions are equal the
// SCCs will be sorted by name.
// +nullable
optional int32 priority = 2;
// AllowPrivilegedContainer determines if a container can request to be run as privileged.
optional bool allowPrivilegedContainer = 3;
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capabiility in both
// DefaultAddCapabilities and RequiredDropCapabilities.
// +nullable
repeated string defaultAddCapabilities = 4;
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +nullable
repeated string requiredDropCapabilities = 5;
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field maybe added at the pod author's discretion.
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
// To allow all capabilities you may use '*'.
// +nullable
repeated string allowedCapabilities = 6;
// AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
// +k8s:conversion-gen=false
optional bool allowHostDirVolumePlugin = 7;
// Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
// of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
// To allow no volumes, set to ["none"].
// +nullable
repeated string volumes = 8;
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "Volumes" field.
// +optional
// +nullable
repeated AllowedFlexVolume allowedFlexVolumes = 21;
// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
optional bool allowHostNetwork = 9;
// AllowHostPorts determines if the policy allows host ports in the containers.
optional bool allowHostPorts = 10;
// AllowHostPID determines if the policy allows host pid in the containers.
optional bool allowHostPID = 11;
// AllowHostIPC determines if the policy allows host ipc in the containers.
optional bool allowHostIPC = 12;
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
// +nullable
optional bool defaultAllowPrivilegeEscalation = 22;
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
// +nullable
optional bool allowPrivilegeEscalation = 23;
// SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
// +nullable
optional SELinuxContextStrategyOptions seLinuxContext = 13;
// RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
// +nullable
optional RunAsUserStrategyOptions runAsUser = 14;
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
// +nullable
optional SupplementalGroupsStrategyOptions supplementalGroups = 15;
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
// +nullable
optional FSGroupStrategyOptions fsGroup = 16;
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the SCC should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
optional bool readOnlyRootFilesystem = 17;
// The users who have permissions to use this security context constraints
// +optional
// +nullable
repeated string users = 18;
// The groups that have permission to use this security context constraints
// +optional
// +nullable
repeated string groups = 19;
// SeccompProfiles lists the allowed profiles that may be set for the pod or
// container's seccomp annotations. An unset (nil) or empty value means that no profiles may
// be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
// +nullable
repeated string seccompProfiles = 20;
// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
// +nullable
repeated string allowedUnsafeSysctls = 24;
// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
// +nullable
repeated string forbiddenSysctls = 25;
}
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message SecurityContextConstraintsList {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// List of security context constraints.
repeated SecurityContextConstraints items = 2;
}
// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
message ServiceAccountPodSecurityPolicyReviewStatus {
optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1;
// name contains the allowed and the denied ServiceAccount name
optional string name = 2;
}
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
message SupplementalGroupsStrategyOptions {
// Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
optional string type = 1;
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end.
repeated IDRange ranges = 2;
}

25
vendor/github.com/openshift/api/security/v1/legacy.go generated vendored Normal file
View File

@ -0,0 +1,25 @@
package v1
import (
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
var (
legacyGroupVersion = schema.GroupVersion{Group: "", Version: "v1"}
legacySchemeBuilder = runtime.NewSchemeBuilder(addLegacyKnownTypes, corev1.AddToScheme)
DeprecatedInstallWithoutGroup = legacySchemeBuilder.AddToScheme
)
func addLegacyKnownTypes(scheme *runtime.Scheme) error {
types := []runtime.Object{
&SecurityContextConstraints{},
&SecurityContextConstraintsList{},
&PodSecurityPolicySubjectReview{},
&PodSecurityPolicySelfSubjectReview{},
&PodSecurityPolicyReview{},
}
scheme.AddKnownTypes(legacyGroupVersion, types...)
return nil
}

44
vendor/github.com/openshift/api/security/v1/register.go generated vendored Normal file
View File

@ -0,0 +1,44 @@
package v1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema"
)
var (
GroupName = "security.openshift.io"
GroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
schemeBuilder = runtime.NewSchemeBuilder(addKnownTypes, corev1.AddToScheme)
// Install is a function which adds this version to a scheme
Install = schemeBuilder.AddToScheme
// SchemeGroupVersion generated code relies on this name
// Deprecated
SchemeGroupVersion = GroupVersion
// AddToScheme exists solely to keep the old generators creating valid code
// DEPRECATED
AddToScheme = schemeBuilder.AddToScheme
)
// Resource generated code relies on this being here, but it logically belongs to the group
// DEPRECATED
func Resource(resource string) schema.GroupResource {
return schema.GroupResource{Group: GroupName, Resource: resource}
}
// Adds the list of known types to api.Scheme.
func addKnownTypes(scheme *runtime.Scheme) error {
scheme.AddKnownTypes(GroupVersion,
&SecurityContextConstraints{},
&SecurityContextConstraintsList{},
&PodSecurityPolicySubjectReview{},
&PodSecurityPolicySelfSubjectReview{},
&PodSecurityPolicyReview{},
&RangeAllocation{},
&RangeAllocationList{},
)
metav1.AddToGroupVersion(scheme, GroupVersion)
return nil
}

456
vendor/github.com/openshift/api/security/v1/types.go generated vendored Normal file
View File

@ -0,0 +1,456 @@
package v1
import (
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
)
// AllowAllCapabilities can be used as a value for the
// SecurityContextConstraints.AllowAllCapabilities field and means that any
// capabilities are allowed to be requested.
var AllowAllCapabilities corev1.Capability = "*"
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
// that will be applied to a container.
// For historical reasons SCC was exposed under the core Kubernetes API group.
// That exposure is deprecated and will be removed in a future release - users
// should instead use the security.openshift.io group to manage
// SecurityContextConstraints.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged"
// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container"
// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext"
// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext"
// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs"
// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system"
// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins"
// +kubebuilder:singular=securitycontextconstraint
// +openshift:compatibility-gen:level=1
type SecurityContextConstraints struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Priority influences the sort order of SCCs when evaluating which SCCs to try first for
// a given pod request based on access in the Users and Groups fields. The higher the int, the
// higher priority. An unset value is considered a 0 priority. If scores
// for multiple SCCs are equal they will be sorted from most restrictive to
// least restrictive. If both priorities and restrictions are equal the
// SCCs will be sorted by name.
// +nullable
Priority *int32 `json:"priority" protobuf:"varint,2,opt,name=priority"`
// AllowPrivilegedContainer determines if a container can request to be run as privileged.
AllowPrivilegedContainer bool `json:"allowPrivilegedContainer" protobuf:"varint,3,opt,name=allowPrivilegedContainer"`
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capabiility in both
// DefaultAddCapabilities and RequiredDropCapabilities.
// +nullable
DefaultAddCapabilities []corev1.Capability `json:"defaultAddCapabilities" protobuf:"bytes,4,rep,name=defaultAddCapabilities,casttype=Capability"`
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +nullable
RequiredDropCapabilities []corev1.Capability `json:"requiredDropCapabilities" protobuf:"bytes,5,rep,name=requiredDropCapabilities,casttype=Capability"`
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field maybe added at the pod author's discretion.
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
// To allow all capabilities you may use '*'.
// +nullable
AllowedCapabilities []corev1.Capability `json:"allowedCapabilities" protobuf:"bytes,6,rep,name=allowedCapabilities,casttype=Capability"`
// AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
// +k8s:conversion-gen=false
AllowHostDirVolumePlugin bool `json:"allowHostDirVolumePlugin" protobuf:"varint,7,opt,name=allowHostDirVolumePlugin"`
// Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
// of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
// To allow no volumes, set to ["none"].
// +nullable
Volumes []FSType `json:"volumes" protobuf:"bytes,8,rep,name=volumes,casttype=FSType"`
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "Volumes" field.
// +optional
// +nullable
AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,21,rep,name=allowedFlexVolumes"`
// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
AllowHostNetwork bool `json:"allowHostNetwork" protobuf:"varint,9,opt,name=allowHostNetwork"`
// AllowHostPorts determines if the policy allows host ports in the containers.
AllowHostPorts bool `json:"allowHostPorts" protobuf:"varint,10,opt,name=allowHostPorts"`
// AllowHostPID determines if the policy allows host pid in the containers.
AllowHostPID bool `json:"allowHostPID" protobuf:"varint,11,opt,name=allowHostPID"`
// AllowHostIPC determines if the policy allows host ipc in the containers.
AllowHostIPC bool `json:"allowHostIPC" protobuf:"varint,12,opt,name=allowHostIPC"`
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
// +nullable
DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,22,rep,name=defaultAllowPrivilegeEscalation"`
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
// +nullable
AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,23,rep,name=allowPrivilegeEscalation"`
// SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
// +nullable
SELinuxContext SELinuxContextStrategyOptions `json:"seLinuxContext,omitempty" protobuf:"bytes,13,opt,name=seLinuxContext"`
// RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
// +nullable
RunAsUser RunAsUserStrategyOptions `json:"runAsUser,omitempty" protobuf:"bytes,14,opt,name=runAsUser"`
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
// +nullable
SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups,omitempty" protobuf:"bytes,15,opt,name=supplementalGroups"`
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
// +nullable
FSGroup FSGroupStrategyOptions `json:"fsGroup,omitempty" protobuf:"bytes,16,opt,name=fsGroup"`
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the SCC should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem" protobuf:"varint,17,opt,name=readOnlyRootFilesystem"`
// The users who have permissions to use this security context constraints
// +optional
// +nullable
Users []string `json:"users" protobuf:"bytes,18,rep,name=users"`
// The groups that have permission to use this security context constraints
// +optional
// +nullable
Groups []string `json:"groups" protobuf:"bytes,19,rep,name=groups"`
// SeccompProfiles lists the allowed profiles that may be set for the pod or
// container's seccomp annotations. An unset (nil) or empty value means that no profiles may
// be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
// +nullable
SeccompProfiles []string `json:"seccompProfiles,omitempty" protobuf:"bytes,20,opt,name=seccompProfiles"`
// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
// +nullable
AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,24,rep,name=allowedUnsafeSysctls"`
// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
// +nullable
ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,25,rep,name=forbiddenSysctls"`
}
// FS Type gives strong typing to different file systems that are used by volumes.
type FSType string
var (
FSTypeAzureFile FSType = "azureFile"
FSTypeAzureDisk FSType = "azureDisk"
FSTypeFlocker FSType = "flocker"
FSTypeFlexVolume FSType = "flexVolume"
FSTypeHostPath FSType = "hostPath"
FSTypeEmptyDir FSType = "emptyDir"
FSTypeGCEPersistentDisk FSType = "gcePersistentDisk"
FSTypeAWSElasticBlockStore FSType = "awsElasticBlockStore"
FSTypeGitRepo FSType = "gitRepo"
FSTypeSecret FSType = "secret"
FSTypeNFS FSType = "nfs"
FSTypeISCSI FSType = "iscsi"
FSTypeGlusterfs FSType = "glusterfs"
FSTypePersistentVolumeClaim FSType = "persistentVolumeClaim"
FSTypeRBD FSType = "rbd"
FSTypeCinder FSType = "cinder"
FSTypeCephFS FSType = "cephFS"
FSTypeDownwardAPI FSType = "downwardAPI"
FSTypeFC FSType = "fc"
FSTypeConfigMap FSType = "configMap"
FSTypeVsphereVolume FSType = "vsphere"
FSTypeQuobyte FSType = "quobyte"
FSTypePhotonPersistentDisk FSType = "photonPersistentDisk"
FSProjected FSType = "projected"
FSPortworxVolume FSType = "portworxVolume"
FSScaleIO FSType = "scaleIO"
FSStorageOS FSType = "storageOS"
FSTypeCSI FSType = "csi"
FSTypeEphemeral FSType = "ephemeral"
FSTypeAll FSType = "*"
FSTypeNone FSType = "none"
)
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
type AllowedFlexVolume struct {
// Driver is the name of the Flexvolume driver.
Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"`
}
// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
type SELinuxContextStrategyOptions struct {
// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
Type SELinuxContextStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=SELinuxContextStrategyType"`
// seLinuxOptions required to run as; required for MustRunAs
SELinuxOptions *corev1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"`
}
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
type RunAsUserStrategyOptions struct {
// Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
Type RunAsUserStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=RunAsUserStrategyType"`
// UID is the user id that containers must run as. Required for the MustRunAs strategy if not using
// namespace/service account allocated uids.
UID *int64 `json:"uid,omitempty" protobuf:"varint,2,opt,name=uid"`
// UIDRangeMin defines the min value for a strategy that allocates by range.
UIDRangeMin *int64 `json:"uidRangeMin,omitempty" protobuf:"varint,3,opt,name=uidRangeMin"`
// UIDRangeMax defines the max value for a strategy that allocates by range.
UIDRangeMax *int64 `json:"uidRangeMax,omitempty" protobuf:"varint,4,opt,name=uidRangeMax"`
}
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
type FSGroupStrategyOptions struct {
// Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
Type FSGroupStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=FSGroupStrategyType"`
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end.
Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
}
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
type SupplementalGroupsStrategyOptions struct {
// Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
Type SupplementalGroupsStrategyType `json:"type,omitempty" protobuf:"bytes,1,opt,name=type,casttype=SupplementalGroupsStrategyType"`
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end.
Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
}
// IDRange provides a min/max of an allowed range of IDs.
// TODO: this could be reused for UIDs.
type IDRange struct {
// Min is the start of the range, inclusive.
Min int64 `json:"min,omitempty" protobuf:"varint,1,opt,name=min"`
// Max is the end of the range, inclusive.
Max int64 `json:"max,omitempty" protobuf:"varint,2,opt,name=max"`
}
// SELinuxContextStrategyType denotes strategy types for generating SELinux options for a
// SecurityContext
type SELinuxContextStrategyType string
// RunAsUserStrategyType denotes strategy types for generating RunAsUser values for a
// SecurityContext
type RunAsUserStrategyType string
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
// groups for a SecurityContext.
type SupplementalGroupsStrategyType string
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
// SecurityContext
type FSGroupStrategyType string
const (
// container must have SELinux labels of X applied.
SELinuxStrategyMustRunAs SELinuxContextStrategyType = "MustRunAs"
// container may make requests for any SELinux context labels.
SELinuxStrategyRunAsAny SELinuxContextStrategyType = "RunAsAny"
// container must run as a particular uid.
RunAsUserStrategyMustRunAs RunAsUserStrategyType = "MustRunAs"
// container must run as a particular uid.
RunAsUserStrategyMustRunAsRange RunAsUserStrategyType = "MustRunAsRange"
// container must run as a non-root uid
RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategyType = "MustRunAsNonRoot"
// container may make requests for any uid.
RunAsUserStrategyRunAsAny RunAsUserStrategyType = "RunAsAny"
// container must have FSGroup of X applied.
FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
// container may make requests for any FSGroup labels.
FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
// container must run as a particular gid.
SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
// container may make requests for any gid.
SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
)
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type SecurityContextConstraintsList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// List of security context constraints.
Items []SecurityContextConstraints `json:"items" protobuf:"bytes,2,rep,name=items"`
}
// +genclient
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type PodSecurityPolicySubjectReview struct {
metav1.TypeMeta `json:",inline"`
// spec defines specification for the PodSecurityPolicySubjectReview.
Spec PodSecurityPolicySubjectReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"`
// status represents the current information/status for the PodSecurityPolicySubjectReview.
Status PodSecurityPolicySubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
type PodSecurityPolicySubjectReviewSpec struct {
// template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted.
// If its non-empty, it will be checked.
Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"`
// user is the user you're testing for.
// If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups.
// If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.
User string `json:"user,omitempty" protobuf:"bytes,2,opt,name=user"`
// groups is the groups you're testing for.
Groups []string `json:"groups,omitempty" protobuf:"bytes,3,rep,name=groups"`
}
// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
type PodSecurityPolicySubjectReviewStatus struct {
// allowedBy is a reference to the rule that allows the PodTemplateSpec.
// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
// A `nil`, indicates that it was denied.
AllowedBy *corev1.ObjectReference `json:"allowedBy,omitempty" protobuf:"bytes,1,opt,name=allowedBy"`
// A machine-readable description of why this operation is in the
// "Failure" status. If this value is empty there
// is no information available.
Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"`
// template is the PodTemplateSpec after the defaulting is applied.
Template corev1.PodTemplateSpec `json:"template,omitempty" protobuf:"bytes,3,opt,name=template"`
}
// +genclient
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type PodSecurityPolicySelfSubjectReview struct {
metav1.TypeMeta `json:",inline"`
// spec defines specification the PodSecurityPolicySelfSubjectReview.
Spec PodSecurityPolicySelfSubjectReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"`
// status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
Status PodSecurityPolicySubjectReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
type PodSecurityPolicySelfSubjectReviewSpec struct {
// template is the PodTemplateSpec to check.
Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"`
}
// +genclient
// +genclient:onlyVerbs=create
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type PodSecurityPolicyReview struct {
metav1.TypeMeta `json:",inline"`
// spec is the PodSecurityPolicy to check.
Spec PodSecurityPolicyReviewSpec `json:"spec" protobuf:"bytes,1,opt,name=spec"`
// status represents the current information/status for the PodSecurityPolicyReview.
Status PodSecurityPolicyReviewStatus `json:"status,omitempty" protobuf:"bytes,2,opt,name=status"`
}
// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
type PodSecurityPolicyReviewSpec struct {
// template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used
// if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty,
// in which case "default" is used.
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
Template corev1.PodTemplateSpec `json:"template" protobuf:"bytes,1,opt,name=template"`
// serviceAccountNames is an optional set of ServiceAccounts to run the check with.
// If serviceAccountNames is empty, the template.spec.serviceAccountName is used,
// unless it's empty, in which case "default" is used instead.
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
ServiceAccountNames []string `json:"serviceAccountNames,omitempty" protobuf:"bytes,2,rep,name=serviceAccountNames"` // TODO: find a way to express 'all service accounts'
}
// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
type PodSecurityPolicyReviewStatus struct {
// allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
AllowedServiceAccounts []ServiceAccountPodSecurityPolicyReviewStatus `json:"allowedServiceAccounts" protobuf:"bytes,1,rep,name=allowedServiceAccounts"`
}
// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
type ServiceAccountPodSecurityPolicyReviewStatus struct {
PodSecurityPolicySubjectReviewStatus `json:",inline" protobuf:"bytes,1,opt,name=podSecurityPolicySubjectReviewStatus"`
// name contains the allowed and the denied ServiceAccount name
Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
}
// +genclient
// +genclient:nonNamespaced
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type RangeAllocation struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
Range string `json:"range" protobuf:"bytes,2,opt,name=range"`
// data is a byte array representing the serialized state of a range allocation. It is a bitmap
// with each bit set to one to represent a range is taken.
Data []byte `json:"data" protobuf:"bytes,3,opt,name=data"`
}
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// RangeAllocationList is a list of RangeAllocations objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
type RangeAllocationList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// List of RangeAllocations.
Items []RangeAllocation `json:"items" protobuf:"bytes,2,rep,name=items"`
}

532
vendor/github.com/openshift/api/security/v1/zz_generated.deepcopy.go generated vendored Normal file
View File

@ -0,0 +1,532 @@
// +build !ignore_autogenerated
// Code generated by deepcopy-gen. DO NOT EDIT.
package v1
import (
corev1 "k8s.io/api/core/v1"
runtime "k8s.io/apimachinery/pkg/runtime"
)
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *AllowedFlexVolume) DeepCopyInto(out *AllowedFlexVolume) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedFlexVolume.
func (in *AllowedFlexVolume) DeepCopy() *AllowedFlexVolume {
if in == nil {
return nil
}
out := new(AllowedFlexVolume)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *FSGroupStrategyOptions) DeepCopyInto(out *FSGroupStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]IDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSGroupStrategyOptions.
func (in *FSGroupStrategyOptions) DeepCopy() *FSGroupStrategyOptions {
if in == nil {
return nil
}
out := new(FSGroupStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *IDRange) DeepCopyInto(out *IDRange) {
*out = *in
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDRange.
func (in *IDRange) DeepCopy() *IDRange {
if in == nil {
return nil
}
out := new(IDRange)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicyReview) DeepCopyInto(out *PodSecurityPolicyReview) {
*out = *in
out.TypeMeta = in.TypeMeta
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReview.
func (in *PodSecurityPolicyReview) DeepCopy() *PodSecurityPolicyReview {
if in == nil {
return nil
}
out := new(PodSecurityPolicyReview)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicyReview) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicyReviewSpec) DeepCopyInto(out *PodSecurityPolicyReviewSpec) {
*out = *in
in.Template.DeepCopyInto(&out.Template)
if in.ServiceAccountNames != nil {
in, out := &in.ServiceAccountNames, &out.ServiceAccountNames
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewSpec.
func (in *PodSecurityPolicyReviewSpec) DeepCopy() *PodSecurityPolicyReviewSpec {
if in == nil {
return nil
}
out := new(PodSecurityPolicyReviewSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicyReviewStatus) DeepCopyInto(out *PodSecurityPolicyReviewStatus) {
*out = *in
if in.AllowedServiceAccounts != nil {
in, out := &in.AllowedServiceAccounts, &out.AllowedServiceAccounts
*out = make([]ServiceAccountPodSecurityPolicyReviewStatus, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicyReviewStatus.
func (in *PodSecurityPolicyReviewStatus) DeepCopy() *PodSecurityPolicyReviewStatus {
if in == nil {
return nil
}
out := new(PodSecurityPolicyReviewStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySelfSubjectReview) DeepCopyInto(out *PodSecurityPolicySelfSubjectReview) {
*out = *in
out.TypeMeta = in.TypeMeta
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReview.
func (in *PodSecurityPolicySelfSubjectReview) DeepCopy() *PodSecurityPolicySelfSubjectReview {
if in == nil {
return nil
}
out := new(PodSecurityPolicySelfSubjectReview)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicySelfSubjectReview) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySelfSubjectReviewSpec) {
*out = *in
in.Template.DeepCopyInto(&out.Template)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySelfSubjectReviewSpec.
func (in *PodSecurityPolicySelfSubjectReviewSpec) DeepCopy() *PodSecurityPolicySelfSubjectReviewSpec {
if in == nil {
return nil
}
out := new(PodSecurityPolicySelfSubjectReviewSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySubjectReview) DeepCopyInto(out *PodSecurityPolicySubjectReview) {
*out = *in
out.TypeMeta = in.TypeMeta
in.Spec.DeepCopyInto(&out.Spec)
in.Status.DeepCopyInto(&out.Status)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReview.
func (in *PodSecurityPolicySubjectReview) DeepCopy() *PodSecurityPolicySubjectReview {
if in == nil {
return nil
}
out := new(PodSecurityPolicySubjectReview)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *PodSecurityPolicySubjectReview) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySubjectReviewSpec) DeepCopyInto(out *PodSecurityPolicySubjectReviewSpec) {
*out = *in
in.Template.DeepCopyInto(&out.Template)
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewSpec.
func (in *PodSecurityPolicySubjectReviewSpec) DeepCopy() *PodSecurityPolicySubjectReviewSpec {
if in == nil {
return nil
}
out := new(PodSecurityPolicySubjectReviewSpec)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *PodSecurityPolicySubjectReviewStatus) DeepCopyInto(out *PodSecurityPolicySubjectReviewStatus) {
*out = *in
if in.AllowedBy != nil {
in, out := &in.AllowedBy, &out.AllowedBy
*out = new(corev1.ObjectReference)
**out = **in
}
in.Template.DeepCopyInto(&out.Template)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PodSecurityPolicySubjectReviewStatus.
func (in *PodSecurityPolicySubjectReviewStatus) DeepCopy() *PodSecurityPolicySubjectReviewStatus {
if in == nil {
return nil
}
out := new(PodSecurityPolicySubjectReviewStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RangeAllocation) DeepCopyInto(out *RangeAllocation) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
if in.Data != nil {
in, out := &in.Data, &out.Data
*out = make([]byte, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocation.
func (in *RangeAllocation) DeepCopy() *RangeAllocation {
if in == nil {
return nil
}
out := new(RangeAllocation)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *RangeAllocation) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RangeAllocationList) DeepCopyInto(out *RangeAllocationList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]RangeAllocation, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeAllocationList.
func (in *RangeAllocationList) DeepCopy() *RangeAllocationList {
if in == nil {
return nil
}
out := new(RangeAllocationList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *RangeAllocationList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *RunAsUserStrategyOptions) DeepCopyInto(out *RunAsUserStrategyOptions) {
*out = *in
if in.UID != nil {
in, out := &in.UID, &out.UID
*out = new(int64)
**out = **in
}
if in.UIDRangeMin != nil {
in, out := &in.UIDRangeMin, &out.UIDRangeMin
*out = new(int64)
**out = **in
}
if in.UIDRangeMax != nil {
in, out := &in.UIDRangeMax, &out.UIDRangeMax
*out = new(int64)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunAsUserStrategyOptions.
func (in *RunAsUserStrategyOptions) DeepCopy() *RunAsUserStrategyOptions {
if in == nil {
return nil
}
out := new(RunAsUserStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SELinuxContextStrategyOptions) DeepCopyInto(out *SELinuxContextStrategyOptions) {
*out = *in
if in.SELinuxOptions != nil {
in, out := &in.SELinuxOptions, &out.SELinuxOptions
*out = new(corev1.SELinuxOptions)
**out = **in
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SELinuxContextStrategyOptions.
func (in *SELinuxContextStrategyOptions) DeepCopy() *SELinuxContextStrategyOptions {
if in == nil {
return nil
}
out := new(SELinuxContextStrategyOptions)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SecurityContextConstraints) DeepCopyInto(out *SecurityContextConstraints) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
if in.Priority != nil {
in, out := &in.Priority, &out.Priority
*out = new(int32)
**out = **in
}
if in.DefaultAddCapabilities != nil {
in, out := &in.DefaultAddCapabilities, &out.DefaultAddCapabilities
*out = make([]corev1.Capability, len(*in))
copy(*out, *in)
}
if in.RequiredDropCapabilities != nil {
in, out := &in.RequiredDropCapabilities, &out.RequiredDropCapabilities
*out = make([]corev1.Capability, len(*in))
copy(*out, *in)
}
if in.AllowedCapabilities != nil {
in, out := &in.AllowedCapabilities, &out.AllowedCapabilities
*out = make([]corev1.Capability, len(*in))
copy(*out, *in)
}
if in.Volumes != nil {
in, out := &in.Volumes, &out.Volumes
*out = make([]FSType, len(*in))
copy(*out, *in)
}
if in.AllowedFlexVolumes != nil {
in, out := &in.AllowedFlexVolumes, &out.AllowedFlexVolumes
*out = make([]AllowedFlexVolume, len(*in))
copy(*out, *in)
}
if in.DefaultAllowPrivilegeEscalation != nil {
in, out := &in.DefaultAllowPrivilegeEscalation, &out.DefaultAllowPrivilegeEscalation
*out = new(bool)
**out = **in
}
if in.AllowPrivilegeEscalation != nil {
in, out := &in.AllowPrivilegeEscalation, &out.AllowPrivilegeEscalation
*out = new(bool)
**out = **in
}
in.SELinuxContext.DeepCopyInto(&out.SELinuxContext)
in.RunAsUser.DeepCopyInto(&out.RunAsUser)
in.SupplementalGroups.DeepCopyInto(&out.SupplementalGroups)
in.FSGroup.DeepCopyInto(&out.FSGroup)
if in.Users != nil {
in, out := &in.Users, &out.Users
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Groups != nil {
in, out := &in.Groups, &out.Groups
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.SeccompProfiles != nil {
in, out := &in.SeccompProfiles, &out.SeccompProfiles
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.AllowedUnsafeSysctls != nil {
in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.ForbiddenSysctls != nil {
in, out := &in.ForbiddenSysctls, &out.ForbiddenSysctls
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraints.
func (in *SecurityContextConstraints) DeepCopy() *SecurityContextConstraints {
if in == nil {
return nil
}
out := new(SecurityContextConstraints)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *SecurityContextConstraints) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SecurityContextConstraintsList) DeepCopyInto(out *SecurityContextConstraintsList) {
*out = *in
out.TypeMeta = in.TypeMeta
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
*out = make([]SecurityContextConstraints, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityContextConstraintsList.
func (in *SecurityContextConstraintsList) DeepCopy() *SecurityContextConstraintsList {
if in == nil {
return nil
}
out := new(SecurityContextConstraintsList)
in.DeepCopyInto(out)
return out
}
// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (in *SecurityContextConstraintsList) DeepCopyObject() runtime.Object {
if c := in.DeepCopy(); c != nil {
return c
}
return nil
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopyInto(out *ServiceAccountPodSecurityPolicyReviewStatus) {
*out = *in
in.PodSecurityPolicySubjectReviewStatus.DeepCopyInto(&out.PodSecurityPolicySubjectReviewStatus)
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountPodSecurityPolicyReviewStatus.
func (in *ServiceAccountPodSecurityPolicyReviewStatus) DeepCopy() *ServiceAccountPodSecurityPolicyReviewStatus {
if in == nil {
return nil
}
out := new(ServiceAccountPodSecurityPolicyReviewStatus)
in.DeepCopyInto(out)
return out
}
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *SupplementalGroupsStrategyOptions) DeepCopyInto(out *SupplementalGroupsStrategyOptions) {
*out = *in
if in.Ranges != nil {
in, out := &in.Ranges, &out.Ranges
*out = make([]IDRange, len(*in))
copy(*out, *in)
}
return
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SupplementalGroupsStrategyOptions.
func (in *SupplementalGroupsStrategyOptions) DeepCopy() *SupplementalGroupsStrategyOptions {
if in == nil {
return nil
}
out := new(SupplementalGroupsStrategyOptions)
in.DeepCopyInto(out)
return out
}

224
vendor/github.com/openshift/api/security/v1/zz_generated.swagger_doc_generated.go generated vendored Normal file
View File

@ -0,0 +1,224 @@
package v1
// This file contains a collection of methods that can be used from go-restful to
// generate Swagger API documentation for its models. Please read this PR for more
// information on the implementation: https://github.com/emicklei/go-restful/pull/215
//
// TODOs are ignored from the parser (e.g. TODO(andronat):... || TODO:...) if and only if
// they are on one line! For multiple line or blocks that you want to ignore use ---.
// Any context after a --- is ignored.
//
// Those methods can be generated by using hack/update-swagger-docs.sh
// AUTO-GENERATED FUNCTIONS START HERE
var map_AllowedFlexVolume = map[string]string{
"": "AllowedFlexVolume represents a single Flexvolume that is allowed to be used.",
"driver": "Driver is the name of the Flexvolume driver.",
}
func (AllowedFlexVolume) SwaggerDoc() map[string]string {
return map_AllowedFlexVolume
}
var map_FSGroupStrategyOptions = map[string]string{
"": "FSGroupStrategyOptions defines the strategy type and options used to create the strategy.",
"type": "Type is the strategy that will dictate what FSGroup is used in the SecurityContext.",
"ranges": "Ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end.",
}
func (FSGroupStrategyOptions) SwaggerDoc() map[string]string {
return map_FSGroupStrategyOptions
}
var map_IDRange = map[string]string{
"": "IDRange provides a min/max of an allowed range of IDs.",
"min": "Min is the start of the range, inclusive.",
"max": "Max is the end of the range, inclusive.",
}
func (IDRange) SwaggerDoc() map[string]string {
return map_IDRange
}
var map_PodSecurityPolicyReview = map[string]string{
"": "PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"spec": "spec is the PodSecurityPolicy to check.",
"status": "status represents the current information/status for the PodSecurityPolicyReview.",
}
func (PodSecurityPolicyReview) SwaggerDoc() map[string]string {
return map_PodSecurityPolicyReview
}
var map_PodSecurityPolicyReviewSpec = map[string]string{
"": "PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview",
"template": "template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, in which case \"default\" is used. If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.",
"serviceAccountNames": "serviceAccountNames is an optional set of ServiceAccounts to run the check with. If serviceAccountNames is empty, the template.spec.serviceAccountName is used, unless it's empty, in which case \"default\" is used instead. If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.",
}
func (PodSecurityPolicyReviewSpec) SwaggerDoc() map[string]string {
return map_PodSecurityPolicyReviewSpec
}
var map_PodSecurityPolicyReviewStatus = map[string]string{
"": "PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.",
"allowedServiceAccounts": "allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.",
}
func (PodSecurityPolicyReviewStatus) SwaggerDoc() map[string]string {
return map_PodSecurityPolicyReviewStatus
}
var map_PodSecurityPolicySelfSubjectReview = map[string]string{
"": "PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"spec": "spec defines specification the PodSecurityPolicySelfSubjectReview.",
"status": "status represents the current information/status for the PodSecurityPolicySelfSubjectReview.",
}
func (PodSecurityPolicySelfSubjectReview) SwaggerDoc() map[string]string {
return map_PodSecurityPolicySelfSubjectReview
}
var map_PodSecurityPolicySelfSubjectReviewSpec = map[string]string{
"": "PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.",
"template": "template is the PodTemplateSpec to check.",
}
func (PodSecurityPolicySelfSubjectReviewSpec) SwaggerDoc() map[string]string {
return map_PodSecurityPolicySelfSubjectReviewSpec
}
var map_PodSecurityPolicySubjectReview = map[string]string{
"": "PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"spec": "spec defines specification for the PodSecurityPolicySubjectReview.",
"status": "status represents the current information/status for the PodSecurityPolicySubjectReview.",
}
func (PodSecurityPolicySubjectReview) SwaggerDoc() map[string]string {
return map_PodSecurityPolicySubjectReview
}
var map_PodSecurityPolicySubjectReviewSpec = map[string]string{
"": "PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview",
"template": "template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. If its non-empty, it will be checked.",
"user": "user is the user you're testing for. If you specify \"user\" but not \"group\", then is it interpreted as \"What if user were not a member of any groups. If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.",
"groups": "groups is the groups you're testing for.",
}
func (PodSecurityPolicySubjectReviewSpec) SwaggerDoc() map[string]string {
return map_PodSecurityPolicySubjectReviewSpec
}
var map_PodSecurityPolicySubjectReviewStatus = map[string]string{
"": "PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.",
"allowedBy": "allowedBy is a reference to the rule that allows the PodTemplateSpec. A rule can be a SecurityContextConstraint or a PodSecurityPolicy A `nil`, indicates that it was denied.",
"reason": "A machine-readable description of why this operation is in the \"Failure\" status. If this value is empty there is no information available.",
"template": "template is the PodTemplateSpec after the defaulting is applied.",
}
func (PodSecurityPolicySubjectReviewStatus) SwaggerDoc() map[string]string {
return map_PodSecurityPolicySubjectReviewStatus
}
var map_RangeAllocation = map[string]string{
"": "RangeAllocation is used so we can easily expose a RangeAllocation typed for security group\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"range": "range is a string representing a unique label for a range of uids, \"1000000000-2000000000/10000\".",
"data": "data is a byte array representing the serialized state of a range allocation. It is a bitmap with each bit set to one to represent a range is taken.",
}
func (RangeAllocation) SwaggerDoc() map[string]string {
return map_RangeAllocation
}
var map_RangeAllocationList = map[string]string{
"": "RangeAllocationList is a list of RangeAllocations objects\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"items": "List of RangeAllocations.",
}
func (RangeAllocationList) SwaggerDoc() map[string]string {
return map_RangeAllocationList
}
var map_RunAsUserStrategyOptions = map[string]string{
"": "RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.",
"type": "Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.",
"uid": "UID is the user id that containers must run as. Required for the MustRunAs strategy if not using namespace/service account allocated uids.",
"uidRangeMin": "UIDRangeMin defines the min value for a strategy that allocates by range.",
"uidRangeMax": "UIDRangeMax defines the max value for a strategy that allocates by range.",
}
func (RunAsUserStrategyOptions) SwaggerDoc() map[string]string {
return map_RunAsUserStrategyOptions
}
var map_SELinuxContextStrategyOptions = map[string]string{
"": "SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.",
"type": "Type is the strategy that will dictate what SELinux context is used in the SecurityContext.",
"seLinuxOptions": "seLinuxOptions required to run as; required for MustRunAs",
}
func (SELinuxContextStrategyOptions) SwaggerDoc() map[string]string {
return map_SELinuxContextStrategyOptions
}
var map_SecurityContextConstraints = map[string]string{
"": "SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"priority": "Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name.",
"allowPrivilegedContainer": "AllowPrivilegedContainer determines if a container can request to be run as privileged.",
"defaultAddCapabilities": "DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.",
"requiredDropCapabilities": "RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.",
"allowedCapabilities": "AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'.",
"allowHostDirVolumePlugin": "AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin",
"volumes": "Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use \"*\". To allow no volumes, set to [\"none\"].",
"allowedFlexVolumes": "AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the \"Volumes\" field.",
"allowHostNetwork": "AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.",
"allowHostPorts": "AllowHostPorts determines if the policy allows host ports in the containers.",
"allowHostPID": "AllowHostPID determines if the policy allows host pid in the containers.",
"allowHostIPC": "AllowHostIPC determines if the policy allows host ipc in the containers.",
"defaultAllowPrivilegeEscalation": "DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.",
"allowPrivilegeEscalation": "AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.",
"seLinuxContext": "SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.",
"runAsUser": "RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.",
"supplementalGroups": "SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.",
"fsGroup": "FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.",
"readOnlyRootFilesystem": "ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.",
"users": "The users who have permissions to use this security context constraints",
"groups": "The groups that have permission to use this security context constraints",
"seccompProfiles": "SeccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container.\tThe wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default.",
"allowedUnsafeSysctls": "AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.\n\nExamples: e.g. \"foo/*\" allows \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" allows \"foo.bar\", \"foo.baz\", etc.",
"forbiddenSysctls": "ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in \"*\" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.\n\nExamples: e.g. \"foo/*\" forbids \"foo/bar\", \"foo/baz\", etc. e.g. \"foo.*\" forbids \"foo.bar\", \"foo.baz\", etc.",
}
func (SecurityContextConstraints) SwaggerDoc() map[string]string {
return map_SecurityContextConstraints
}
var map_SecurityContextConstraintsList = map[string]string{
"": "SecurityContextConstraintsList is a list of SecurityContextConstraints objects\n\nCompatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).",
"items": "List of security context constraints.",
}
func (SecurityContextConstraintsList) SwaggerDoc() map[string]string {
return map_SecurityContextConstraintsList
}
var map_ServiceAccountPodSecurityPolicyReviewStatus = map[string]string{
"": "ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status",
"name": "name contains the allowed and the denied ServiceAccount name",
}
func (ServiceAccountPodSecurityPolicyReviewStatus) SwaggerDoc() map[string]string {
return map_ServiceAccountPodSecurityPolicyReviewStatus
}
var map_SupplementalGroupsStrategyOptions = map[string]string{
"": "SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.",
"type": "Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.",
"ranges": "Ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end.",
}
func (SupplementalGroupsStrategyOptions) SwaggerDoc() map[string]string {
return map_SupplementalGroupsStrategyOptions
}
// AUTO-GENERATED FUNCTIONS END HERE