Package k8s.io.api.core.v1

Class Generated.PodSecurityContext

  • All Implemented Interfaces:
    com.google.protobuf.Message, com.google.protobuf.MessageLite, com.google.protobuf.MessageLiteOrBuilder, com.google.protobuf.MessageOrBuilder, Serializable, Generated.PodSecurityContextOrBuilder
    Enclosing class:
    Generated
    public static final class Generated.PodSecurityContext
extends com.google.protobuf.GeneratedMessageV3
implements Generated.PodSecurityContextOrBuilder
     PodSecurityContext holds pod-level security attributes and common container settings.
 Some fields are also present in container.securityContext.  Field values of
 container.securityContext take precedence over field values of PodSecurityContext.
    Protobuf type k8s.io.api.core.v1.PodSecurityContext
    See Also:
    Serialized Form

    • Method Detail

      • newInstance

        protected Object newInstance​(com.google.protobuf.GeneratedMessageV3.UnusedPrivateParameter unused)
        Overrides:
        newInstance in class com.google.protobuf.GeneratedMessageV3

      • getDescriptor

        public static final com.google.protobuf.Descriptors.Descriptor getDescriptor()

      • internalGetFieldAccessorTable

        protected com.google.protobuf.GeneratedMessageV3.FieldAccessorTable internalGetFieldAccessorTable()
        Specified by:
        internalGetFieldAccessorTable in class com.google.protobuf.GeneratedMessageV3

      • hasSeLinuxOptions

        public boolean hasSeLinuxOptions()
         The SELinux context to be applied to all containers.
 If unspecified, the container runtime will allocate a random SELinux context for each
 container.  May also be set in SecurityContext.  If set in
 both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 takes precedence for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 1;
        Specified by:
        hasSeLinuxOptions in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the seLinuxOptions field is set.

      • getSeLinuxOptions

        public Generated.SELinuxOptions getSeLinuxOptions()
         The SELinux context to be applied to all containers.
 If unspecified, the container runtime will allocate a random SELinux context for each
 container.  May also be set in SecurityContext.  If set in
 both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 takes precedence for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 1;
        Specified by:
        getSeLinuxOptions in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The seLinuxOptions.

      • getSeLinuxOptionsOrBuilder

        public Generated.SELinuxOptionsOrBuilder getSeLinuxOptionsOrBuilder()
         The SELinux context to be applied to all containers.
 If unspecified, the container runtime will allocate a random SELinux context for each
 container.  May also be set in SecurityContext.  If set in
 both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 takes precedence for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 1;
        Specified by:
        getSeLinuxOptionsOrBuilder in interface Generated.PodSecurityContextOrBuilder

      • hasWindowsOptions

        public boolean hasWindowsOptions()
         The Windows specific settings applied to all containers.
 If unspecified, the options within a container's SecurityContext will be used.
 If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 Note that this field cannot be set when spec.os.name is linux.
 +optional
        optional .k8s.io.api.core.v1.WindowsSecurityContextOptions windowsOptions = 8;
        Specified by:
        hasWindowsOptions in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the windowsOptions field is set.

      • getWindowsOptions

        public Generated.WindowsSecurityContextOptions getWindowsOptions()
         The Windows specific settings applied to all containers.
 If unspecified, the options within a container's SecurityContext will be used.
 If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 Note that this field cannot be set when spec.os.name is linux.
 +optional
        optional .k8s.io.api.core.v1.WindowsSecurityContextOptions windowsOptions = 8;
        Specified by:
        getWindowsOptions in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The windowsOptions.

      • getWindowsOptionsOrBuilder

        public Generated.WindowsSecurityContextOptionsOrBuilder getWindowsOptionsOrBuilder()
         The Windows specific settings applied to all containers.
 If unspecified, the options within a container's SecurityContext will be used.
 If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 Note that this field cannot be set when spec.os.name is linux.
 +optional
        optional .k8s.io.api.core.v1.WindowsSecurityContextOptions windowsOptions = 8;
        Specified by:
        getWindowsOptionsOrBuilder in interface Generated.PodSecurityContextOrBuilder

      • hasRunAsUser

        public boolean hasRunAsUser()
         The UID to run the entrypoint of the container process.
 Defaults to user specified in image metadata if unspecified.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsUser = 2;
        Specified by:
        hasRunAsUser in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the runAsUser field is set.

      • getRunAsUser

        public long getRunAsUser()
         The UID to run the entrypoint of the container process.
 Defaults to user specified in image metadata if unspecified.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsUser = 2;
        Specified by:
        getRunAsUser in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The runAsUser.

      • hasRunAsGroup

        public boolean hasRunAsGroup()
         The GID to run the entrypoint of the container process.
 Uses runtime default if unset.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsGroup = 6;
        Specified by:
        hasRunAsGroup in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the runAsGroup field is set.

      • getRunAsGroup

        public long getRunAsGroup()
         The GID to run the entrypoint of the container process.
 Uses runtime default if unset.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsGroup = 6;
        Specified by:
        getRunAsGroup in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The runAsGroup.

      • hasRunAsNonRoot

        public boolean hasRunAsNonRoot()
         Indicates that the container must run as a non-root user.
 If true, the Kubelet will validate the image at runtime to ensure that it
 does not run as UID 0 (root) and fail to start the container if it does.
 If unset or false, no such validation will be performed.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence.
 +optional
        optional bool runAsNonRoot = 3;
        Specified by:
        hasRunAsNonRoot in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the runAsNonRoot field is set.

      • getRunAsNonRoot

        public boolean getRunAsNonRoot()
         Indicates that the container must run as a non-root user.
 If true, the Kubelet will validate the image at runtime to ensure that it
 does not run as UID 0 (root) and fail to start the container if it does.
 If unset or false, no such validation will be performed.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence.
 +optional
        optional bool runAsNonRoot = 3;
        Specified by:
        getRunAsNonRoot in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The runAsNonRoot.

      • getSupplementalGroupsList

        public List<Long> getSupplementalGroupsList()
         A list of groups applied to the first process run in each container, in
 addition to the container's primary GID and fsGroup (if specified).  If
 the SupplementalGroupsPolicy feature is enabled, the
 supplementalGroupsPolicy field determines whether these are in addition
 to or instead of any group memberships defined in the container image.
 If unspecified, no additional groups are added, though group memberships
 defined in the container image may still be used, depending on the
 supplementalGroupsPolicy field.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated int64 supplementalGroups = 4;
        Specified by:
        getSupplementalGroupsList in interface Generated.PodSecurityContextOrBuilder
        Returns:
        A list containing the supplementalGroups.

      • getSupplementalGroupsCount

        public int getSupplementalGroupsCount()
         A list of groups applied to the first process run in each container, in
 addition to the container's primary GID and fsGroup (if specified).  If
 the SupplementalGroupsPolicy feature is enabled, the
 supplementalGroupsPolicy field determines whether these are in addition
 to or instead of any group memberships defined in the container image.
 If unspecified, no additional groups are added, though group memberships
 defined in the container image may still be used, depending on the
 supplementalGroupsPolicy field.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated int64 supplementalGroups = 4;
        Specified by:
        getSupplementalGroupsCount in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The count of supplementalGroups.

      • getSupplementalGroups

        public long getSupplementalGroups​(int index)
         A list of groups applied to the first process run in each container, in
 addition to the container's primary GID and fsGroup (if specified).  If
 the SupplementalGroupsPolicy feature is enabled, the
 supplementalGroupsPolicy field determines whether these are in addition
 to or instead of any group memberships defined in the container image.
 If unspecified, no additional groups are added, though group memberships
 defined in the container image may still be used, depending on the
 supplementalGroupsPolicy field.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated int64 supplementalGroups = 4;
        Specified by:
        getSupplementalGroups in interface Generated.PodSecurityContextOrBuilder
        Parameters:
        index - The index of the element to return.
        Returns:
        The supplementalGroups at the given index.

      • hasSupplementalGroupsPolicy

        public boolean hasSupplementalGroupsPolicy()
         Defines how supplemental groups of the first container processes are calculated.
 Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
 (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
 and the container runtime must implement support for this feature.
 Note that this field cannot be set when spec.os.name is windows.
 TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
 +featureGate=SupplementalGroupsPolicy
 +optional
        optional string supplementalGroupsPolicy = 12;
        Specified by:
        hasSupplementalGroupsPolicy in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the supplementalGroupsPolicy field is set.

      • getSupplementalGroupsPolicy

        public String getSupplementalGroupsPolicy()
         Defines how supplemental groups of the first container processes are calculated.
 Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
 (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
 and the container runtime must implement support for this feature.
 Note that this field cannot be set when spec.os.name is windows.
 TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
 +featureGate=SupplementalGroupsPolicy
 +optional
        optional string supplementalGroupsPolicy = 12;
        Specified by:
        getSupplementalGroupsPolicy in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The supplementalGroupsPolicy.

      • getSupplementalGroupsPolicyBytes

        public com.google.protobuf.ByteString getSupplementalGroupsPolicyBytes()
         Defines how supplemental groups of the first container processes are calculated.
 Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
 (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
 and the container runtime must implement support for this feature.
 Note that this field cannot be set when spec.os.name is windows.
 TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
 +featureGate=SupplementalGroupsPolicy
 +optional
        optional string supplementalGroupsPolicy = 12;
        Specified by:
        getSupplementalGroupsPolicyBytes in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The bytes for supplementalGroupsPolicy.

      • hasFsGroup

        public boolean hasFsGroup()
         A special supplemental group that applies to all containers in a pod.
 Some volume types allow the Kubelet to change the ownership of that volume
 to be owned by the pod:

 1. The owning GID will be the FSGroup
 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
 3. The permission bits are OR'd with rw-rw----

 If unset, the Kubelet will not modify the ownership and permissions of any volume.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 fsGroup = 5;
        Specified by:
        hasFsGroup in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the fsGroup field is set.

      • getFsGroup

        public long getFsGroup()
         A special supplemental group that applies to all containers in a pod.
 Some volume types allow the Kubelet to change the ownership of that volume
 to be owned by the pod:

 1. The owning GID will be the FSGroup
 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
 3. The permission bits are OR'd with rw-rw----

 If unset, the Kubelet will not modify the ownership and permissions of any volume.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 fsGroup = 5;
        Specified by:
        getFsGroup in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The fsGroup.

      • getSysctlsList

        public List<Generated.Sysctl> getSysctlsList()
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;
        Specified by:
        getSysctlsList in interface Generated.PodSecurityContextOrBuilder

      • getSysctlsOrBuilderList

        public List<? extends Generated.SysctlOrBuilder> getSysctlsOrBuilderList()
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;
        Specified by:
        getSysctlsOrBuilderList in interface Generated.PodSecurityContextOrBuilder

      • getSysctlsCount

        public int getSysctlsCount()
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;
        Specified by:
        getSysctlsCount in interface Generated.PodSecurityContextOrBuilder

      • getSysctls

        public Generated.Sysctl getSysctls​(int index)
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;
        Specified by:
        getSysctls in interface Generated.PodSecurityContextOrBuilder

      • getSysctlsOrBuilder

        public Generated.SysctlOrBuilder getSysctlsOrBuilder​(int index)
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;
        Specified by:
        getSysctlsOrBuilder in interface Generated.PodSecurityContextOrBuilder

      • hasFsGroupChangePolicy

        public boolean hasFsGroupChangePolicy()
         fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 before being exposed inside Pod. This field will only apply to
 volume types which support fsGroup based ownership(and permissions).
 It will have no effect on ephemeral volume types such as: secret, configmaps
 and emptydir.
 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional string fsGroupChangePolicy = 9;
        Specified by:
        hasFsGroupChangePolicy in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the fsGroupChangePolicy field is set.

      • getFsGroupChangePolicy

        public String getFsGroupChangePolicy()
         fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 before being exposed inside Pod. This field will only apply to
 volume types which support fsGroup based ownership(and permissions).
 It will have no effect on ephemeral volume types such as: secret, configmaps
 and emptydir.
 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional string fsGroupChangePolicy = 9;
        Specified by:
        getFsGroupChangePolicy in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The fsGroupChangePolicy.

      • getFsGroupChangePolicyBytes

        public com.google.protobuf.ByteString getFsGroupChangePolicyBytes()
         fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 before being exposed inside Pod. This field will only apply to
 volume types which support fsGroup based ownership(and permissions).
 It will have no effect on ephemeral volume types such as: secret, configmaps
 and emptydir.
 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional string fsGroupChangePolicy = 9;
        Specified by:
        getFsGroupChangePolicyBytes in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The bytes for fsGroupChangePolicy.

      • hasSeccompProfile

        public boolean hasSeccompProfile()
         The seccomp options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SeccompProfile seccompProfile = 10;
        Specified by:
        hasSeccompProfile in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the seccompProfile field is set.

      • hasAppArmorProfile

        public boolean hasAppArmorProfile()
         appArmorProfile is the AppArmor options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.AppArmorProfile appArmorProfile = 11;
        Specified by:
        hasAppArmorProfile in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the appArmorProfile field is set.

      • getAppArmorProfile

        public Generated.AppArmorProfile getAppArmorProfile()
         appArmorProfile is the AppArmor options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.AppArmorProfile appArmorProfile = 11;
        Specified by:
        getAppArmorProfile in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The appArmorProfile.

      • hasSeLinuxChangePolicy

        public boolean hasSeLinuxChangePolicy()
         seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
 It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
 Valid values are "MountOption" and "Recursive".

 "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
 This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.

 "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
 This requires all Pods that share the same volume to use the same SELinux label.
 It is not possible to share the same volume among privileged and unprivileged Pods.
 Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
 whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
 CSIDriver instance. Other volumes are always re-labelled recursively.
 "MountOption" value is allowed only when SELinuxMount feature gate is enabled.

 If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
 If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
 and "Recursive" for all other volumes.

 This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.

 All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
 Note that this field cannot be set when spec.os.name is windows.
 +featureGate=SELinuxChangePolicy
 +optional
        optional string seLinuxChangePolicy = 13;
        Specified by:
        hasSeLinuxChangePolicy in interface Generated.PodSecurityContextOrBuilder
        Returns:
        Whether the seLinuxChangePolicy field is set.

      • getSeLinuxChangePolicy

        public String getSeLinuxChangePolicy()
         seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
 It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
 Valid values are "MountOption" and "Recursive".

 "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
 This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.

 "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
 This requires all Pods that share the same volume to use the same SELinux label.
 It is not possible to share the same volume among privileged and unprivileged Pods.
 Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
 whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
 CSIDriver instance. Other volumes are always re-labelled recursively.
 "MountOption" value is allowed only when SELinuxMount feature gate is enabled.

 If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
 If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
 and "Recursive" for all other volumes.

 This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.

 All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
 Note that this field cannot be set when spec.os.name is windows.
 +featureGate=SELinuxChangePolicy
 +optional
        optional string seLinuxChangePolicy = 13;
        Specified by:
        getSeLinuxChangePolicy in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The seLinuxChangePolicy.

      • getSeLinuxChangePolicyBytes

        public com.google.protobuf.ByteString getSeLinuxChangePolicyBytes()
         seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
 It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
 Valid values are "MountOption" and "Recursive".

 "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
 This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.

 "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
 This requires all Pods that share the same volume to use the same SELinux label.
 It is not possible to share the same volume among privileged and unprivileged Pods.
 Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
 whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
 CSIDriver instance. Other volumes are always re-labelled recursively.
 "MountOption" value is allowed only when SELinuxMount feature gate is enabled.

 If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
 If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
 and "Recursive" for all other volumes.

 This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.

 All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
 Note that this field cannot be set when spec.os.name is windows.
 +featureGate=SELinuxChangePolicy
 +optional
        optional string seLinuxChangePolicy = 13;
        Specified by:
        getSeLinuxChangePolicyBytes in interface Generated.PodSecurityContextOrBuilder
        Returns:
        The bytes for seLinuxChangePolicy.

      • isInitialized

        public final boolean isInitialized()
        Specified by:
        isInitialized in interface com.google.protobuf.MessageLiteOrBuilder
        Overrides:
        isInitialized in class com.google.protobuf.GeneratedMessageV3

      • writeTo

        public void writeTo​(com.google.protobuf.CodedOutputStream output)
             throws IOException
        Specified by:
        writeTo in interface com.google.protobuf.MessageLite
        Overrides:
        writeTo in class com.google.protobuf.GeneratedMessageV3
        Throws:
        IOException

      • getSerializedSize

        public int getSerializedSize()
        Specified by:
        getSerializedSize in interface com.google.protobuf.MessageLite
        Overrides:
        getSerializedSize in class com.google.protobuf.GeneratedMessageV3

      • equals

        public boolean equals​(Object obj)
        Specified by:
        equals in interface com.google.protobuf.Message
        Overrides:
        equals in class com.google.protobuf.AbstractMessage

      • hashCode

        public int hashCode()
        Specified by:
        hashCode in interface com.google.protobuf.Message
        Overrides:
        hashCode in class com.google.protobuf.AbstractMessage

      • parseFrom

        public static Generated.PodSecurityContext parseFrom​(ByteBuffer data)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static Generated.PodSecurityContext parseFrom​(ByteBuffer data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static Generated.PodSecurityContext parseFrom​(com.google.protobuf.ByteString data)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static Generated.PodSecurityContext parseFrom​(com.google.protobuf.ByteString data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static Generated.PodSecurityContext parseFrom​(byte[] data)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • parseFrom

        public static Generated.PodSecurityContext parseFrom​(byte[] data,
                                                     com.google.protobuf.ExtensionRegistryLite extensionRegistry)
                                              throws com.google.protobuf.InvalidProtocolBufferException
        Throws:
        com.google.protobuf.InvalidProtocolBufferException

      • newBuilderForType

        public Generated.PodSecurityContext.Builder newBuilderForType()
        Specified by:
        newBuilderForType in interface com.google.protobuf.Message
        Specified by:
        newBuilderForType in interface com.google.protobuf.MessageLite

      • toBuilder

        public Generated.PodSecurityContext.Builder toBuilder()
        Specified by:
        toBuilder in interface com.google.protobuf.Message
        Specified by:
        toBuilder in interface com.google.protobuf.MessageLite

      • newBuilderForType

        protected Generated.PodSecurityContext.Builder newBuilderForType​(com.google.protobuf.GeneratedMessageV3.BuilderParent parent)
        Specified by:
        newBuilderForType in class com.google.protobuf.GeneratedMessageV3

      • getParserForType

        public com.google.protobuf.Parser<Generated.PodSecurityContext> getParserForType()
        Specified by:
        getParserForType in interface com.google.protobuf.Message
        Specified by:
        getParserForType in interface com.google.protobuf.MessageLite
        Overrides:
        getParserForType in class com.google.protobuf.GeneratedMessageV3

      • getDefaultInstanceForType

        public Generated.PodSecurityContext getDefaultInstanceForType()
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageLiteOrBuilder
        Specified by:
        getDefaultInstanceForType in interface com.google.protobuf.MessageOrBuilder