Package io.fabric8.openshift.api.model

Class SecurityContextConstraints

  • All Implemented Interfaces:
    io.fabric8.kubernetes.api.builder.Editable<SecurityContextConstraintsBuilder>, io.fabric8.kubernetes.api.model.HasMetadata, io.fabric8.kubernetes.api.model.KubernetesResource, Serializable
    @Generated("io.fabric8.kubernetes.schema.generator.model.ModelGenerator")
public class SecurityContextConstraints
extends Object
implements io.fabric8.kubernetes.api.builder.Editable<SecurityContextConstraintsBuilder>, io.fabric8.kubernetes.api.model.HasMetadata
    SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


    Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

    See Also:
    Serialized Form

    • Method Detail

      • getAllowHostDirVolumePlugin

        public Boolean getAllowHostDirVolumePlugin()
        allowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin

      • setAllowHostDirVolumePlugin

        public void setAllowHostDirVolumePlugin​(Boolean allowHostDirVolumePlugin)
        allowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin

      • getAllowHostIPC

        public Boolean getAllowHostIPC()
        allowHostIPC determines if the policy allows host ipc in the containers.

      • setAllowHostIPC

        public void setAllowHostIPC​(Boolean allowHostIPC)
        allowHostIPC determines if the policy allows host ipc in the containers.

      • getAllowHostNetwork

        public Boolean getAllowHostNetwork()
        allowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.

      • setAllowHostNetwork

        public void setAllowHostNetwork​(Boolean allowHostNetwork)
        allowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.

      • getAllowHostPID

        public Boolean getAllowHostPID()
        allowHostPID determines if the policy allows host pid in the containers.

      • setAllowHostPID

        public void setAllowHostPID​(Boolean allowHostPID)
        allowHostPID determines if the policy allows host pid in the containers.

      • getAllowHostPorts

        public Boolean getAllowHostPorts()
        allowHostPorts determines if the policy allows host ports in the containers.

      • setAllowHostPorts

        public void setAllowHostPorts​(Boolean allowHostPorts)
        allowHostPorts determines if the policy allows host ports in the containers.

      • getAllowPrivilegeEscalation

        public Boolean getAllowPrivilegeEscalation()
        allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.

      • setAllowPrivilegeEscalation

        public void setAllowPrivilegeEscalation​(Boolean allowPrivilegeEscalation)
        allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.

      • getAllowPrivilegedContainer

        public Boolean getAllowPrivilegedContainer()
        allowPrivilegedContainer determines if a container can request to be run as privileged.

      • setAllowPrivilegedContainer

        public void setAllowPrivilegedContainer​(Boolean allowPrivilegedContainer)
        allowPrivilegedContainer determines if a container can request to be run as privileged.

      • getAllowedCapabilities

        public List<String> getAllowedCapabilities()
        allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'.

      • setAllowedCapabilities

        public void setAllowedCapabilities​(List<String> allowedCapabilities)
        allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author's discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'.

      • getAllowedFlexVolumes

        public List<AllowedFlexVolume> getAllowedFlexVolumes()
        allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field.

      • setAllowedFlexVolumes

        public void setAllowedFlexVolumes​(List<AllowedFlexVolume> allowedFlexVolumes)
        allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field.

      • getAllowedUnsafeSysctls

        public List<String> getAllowedUnsafeSysctls()
        allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.


        Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.

      • setAllowedUnsafeSysctls

        public void setAllowedUnsafeSysctls​(List<String> allowedUnsafeSysctls)
        allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.


        Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.

      • getApiVersion

        public String getApiVersion()
        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
        Specified by:
        getApiVersion in interface io.fabric8.kubernetes.api.model.HasMetadata

      • setApiVersion

        public void setApiVersion​(String apiVersion)
        APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
        Specified by:
        setApiVersion in interface io.fabric8.kubernetes.api.model.HasMetadata

      • getDefaultAddCapabilities

        public List<String> getDefaultAddCapabilities()
        defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.

      • setDefaultAddCapabilities

        public void setDefaultAddCapabilities​(List<String> defaultAddCapabilities)
        defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities.

      • getDefaultAllowPrivilegeEscalation

        public Boolean getDefaultAllowPrivilegeEscalation()
        defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.

      • setDefaultAllowPrivilegeEscalation

        public void setDefaultAllowPrivilegeEscalation​(Boolean defaultAllowPrivilegeEscalation)
        defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.

      • getForbiddenSysctls

        public List<String> getForbiddenSysctls()
        forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.


        Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.

      • setForbiddenSysctls

        public void setForbiddenSysctls​(List<String> forbiddenSysctls)
        forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.


        Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.

      • getFsGroup

        public FSGroupStrategyOptions getFsGroup()
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • setFsGroup

        public void setFsGroup​(FSGroupStrategyOptions fsGroup)
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • getGroups

        public List<String> getGroups()
        The groups that have permission to use this security context constraints

      • setGroups

        public void setGroups​(List<String> groups)
        The groups that have permission to use this security context constraints

      • getKind

        public String getKind()
        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
        Specified by:
        getKind in interface io.fabric8.kubernetes.api.model.HasMetadata

      • setKind

        public void setKind​(String kind)
        Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

      • getMetadata

        public io.fabric8.kubernetes.api.model.ObjectMeta getMetadata()
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

        Specified by:
        getMetadata in interface io.fabric8.kubernetes.api.model.HasMetadata

      • setMetadata

        public void setMetadata​(io.fabric8.kubernetes.api.model.ObjectMeta metadata)
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

        Specified by:
        setMetadata in interface io.fabric8.kubernetes.api.model.HasMetadata

      • getPriority

        public Integer getPriority()
        priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name.

      • setPriority

        public void setPriority​(Integer priority)
        priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name.

      • getReadOnlyRootFilesystem

        public Boolean getReadOnlyRootFilesystem()
        readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.

      • setReadOnlyRootFilesystem

        public void setReadOnlyRootFilesystem​(Boolean readOnlyRootFilesystem)
        readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.

      • getRequiredDropCapabilities

        public List<String> getRequiredDropCapabilities()
        requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.

      • setRequiredDropCapabilities

        public void setRequiredDropCapabilities​(List<String> requiredDropCapabilities)
        requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.

      • getRunAsUser

        public RunAsUserStrategyOptions getRunAsUser()
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • setRunAsUser

        public void setRunAsUser​(RunAsUserStrategyOptions runAsUser)
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • getSeLinuxContext

        public SELinuxContextStrategyOptions getSeLinuxContext()
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • setSeLinuxContext

        public void setSeLinuxContext​(SELinuxContextStrategyOptions seLinuxContext)
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • getSeccompProfiles

        public List<String> getSeccompProfiles()
        seccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default.

      • setSeccompProfiles

        public void setSeccompProfiles​(List<String> seccompProfiles)
        seccompProfiles lists the allowed profiles that may be set for the pod or container's seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default.

      • getSupplementalGroups

        public SupplementalGroupsStrategyOptions getSupplementalGroups()
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • setSupplementalGroups

        public void setSupplementalGroups​(SupplementalGroupsStrategyOptions supplementalGroups)
        SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.


        Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).

      • getUserNamespaceLevel

        public String getUserNamespaceLevel()
        userNamespaceLevel determines if the policy allows host users in containers. Valid values are "AllowHostLevel", "RequirePodLevel", and omitted. When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`. When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`. When omitted, the default value is "AllowHostLevel".

      • setUserNamespaceLevel

        public void setUserNamespaceLevel​(String userNamespaceLevel)
        userNamespaceLevel determines if the policy allows host users in containers. Valid values are "AllowHostLevel", "RequirePodLevel", and omitted. When "AllowHostLevel" is set, a pod author may set `hostUsers` to either `true` or `false`. When "RequirePodLevel" is set, a pod author must set `hostUsers` to `false`. When omitted, the default value is "AllowHostLevel".

      • getUsers

        public List<String> getUsers()
        The users who have permissions to use this security context constraints

      • setUsers

        public void setUsers​(List<String> users)
        The users who have permissions to use this security context constraints

      • getVolumes

        public List<String> getVolumes()
        volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"].

      • setVolumes

        public void setVolumes​(List<String> volumes)
        volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"].

      • getAdditionalProperties

        public Map<String,​Object> getAdditionalProperties()

      • setAdditionalProperty

        public void setAdditionalProperty​(String name,
                                  Object value)

      • setAdditionalProperties

        public void setAdditionalProperties​(Map<String,​Object> additionalProperties)