Package k8s.io.api.core.v1

Interface Generated.PodSecurityContextOrBuilder

    • Method Detail

      • hasSeLinuxOptions

        boolean hasSeLinuxOptions()
         The SELinux context to be applied to all containers.
 If unspecified, the container runtime will allocate a random SELinux context for each
 container.  May also be set in SecurityContext.  If set in
 both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 takes precedence for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 1;
        Returns:
        Whether the seLinuxOptions field is set.

      • getSeLinuxOptions

        Generated.SELinuxOptions getSeLinuxOptions()
         The SELinux context to be applied to all containers.
 If unspecified, the container runtime will allocate a random SELinux context for each
 container.  May also be set in SecurityContext.  If set in
 both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 takes precedence for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 1;
        Returns:
        The seLinuxOptions.

      • getSeLinuxOptionsOrBuilder

        Generated.SELinuxOptionsOrBuilder getSeLinuxOptionsOrBuilder()
         The SELinux context to be applied to all containers.
 If unspecified, the container runtime will allocate a random SELinux context for each
 container.  May also be set in SecurityContext.  If set in
 both SecurityContext and PodSecurityContext, the value specified in SecurityContext
 takes precedence for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 1;

      • hasWindowsOptions

        boolean hasWindowsOptions()
         The Windows specific settings applied to all containers.
 If unspecified, the options within a container's SecurityContext will be used.
 If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 Note that this field cannot be set when spec.os.name is linux.
 +optional
        optional .k8s.io.api.core.v1.WindowsSecurityContextOptions windowsOptions = 8;
        Returns:
        Whether the windowsOptions field is set.

      • getWindowsOptions

        Generated.WindowsSecurityContextOptions getWindowsOptions()
         The Windows specific settings applied to all containers.
 If unspecified, the options within a container's SecurityContext will be used.
 If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 Note that this field cannot be set when spec.os.name is linux.
 +optional
        optional .k8s.io.api.core.v1.WindowsSecurityContextOptions windowsOptions = 8;
        Returns:
        The windowsOptions.

      • getWindowsOptionsOrBuilder

        Generated.WindowsSecurityContextOptionsOrBuilder getWindowsOptionsOrBuilder()
         The Windows specific settings applied to all containers.
 If unspecified, the options within a container's SecurityContext will be used.
 If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
 Note that this field cannot be set when spec.os.name is linux.
 +optional
        optional .k8s.io.api.core.v1.WindowsSecurityContextOptions windowsOptions = 8;

      • hasRunAsUser

        boolean hasRunAsUser()
         The UID to run the entrypoint of the container process.
 Defaults to user specified in image metadata if unspecified.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsUser = 2;
        Returns:
        Whether the runAsUser field is set.

      • getRunAsUser

        long getRunAsUser()
         The UID to run the entrypoint of the container process.
 Defaults to user specified in image metadata if unspecified.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsUser = 2;
        Returns:
        The runAsUser.

      • hasRunAsGroup

        boolean hasRunAsGroup()
         The GID to run the entrypoint of the container process.
 Uses runtime default if unset.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsGroup = 6;
        Returns:
        Whether the runAsGroup field is set.

      • getRunAsGroup

        long getRunAsGroup()
         The GID to run the entrypoint of the container process.
 Uses runtime default if unset.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence
 for that container.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 runAsGroup = 6;
        Returns:
        The runAsGroup.

      • hasRunAsNonRoot

        boolean hasRunAsNonRoot()
         Indicates that the container must run as a non-root user.
 If true, the Kubelet will validate the image at runtime to ensure that it
 does not run as UID 0 (root) and fail to start the container if it does.
 If unset or false, no such validation will be performed.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence.
 +optional
        optional bool runAsNonRoot = 3;
        Returns:
        Whether the runAsNonRoot field is set.

      • getRunAsNonRoot

        boolean getRunAsNonRoot()
         Indicates that the container must run as a non-root user.
 If true, the Kubelet will validate the image at runtime to ensure that it
 does not run as UID 0 (root) and fail to start the container if it does.
 If unset or false, no such validation will be performed.
 May also be set in SecurityContext.  If set in both SecurityContext and
 PodSecurityContext, the value specified in SecurityContext takes precedence.
 +optional
        optional bool runAsNonRoot = 3;
        Returns:
        The runAsNonRoot.

      • getSupplementalGroupsList

        List<Long> getSupplementalGroupsList()
         A list of groups applied to the first process run in each container, in
 addition to the container's primary GID and fsGroup (if specified).  If
 the SupplementalGroupsPolicy feature is enabled, the
 supplementalGroupsPolicy field determines whether these are in addition
 to or instead of any group memberships defined in the container image.
 If unspecified, no additional groups are added, though group memberships
 defined in the container image may still be used, depending on the
 supplementalGroupsPolicy field.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated int64 supplementalGroups = 4;
        Returns:
        A list containing the supplementalGroups.

      • getSupplementalGroupsCount

        int getSupplementalGroupsCount()
         A list of groups applied to the first process run in each container, in
 addition to the container's primary GID and fsGroup (if specified).  If
 the SupplementalGroupsPolicy feature is enabled, the
 supplementalGroupsPolicy field determines whether these are in addition
 to or instead of any group memberships defined in the container image.
 If unspecified, no additional groups are added, though group memberships
 defined in the container image may still be used, depending on the
 supplementalGroupsPolicy field.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated int64 supplementalGroups = 4;
        Returns:
        The count of supplementalGroups.

      • getSupplementalGroups

        long getSupplementalGroups​(int index)
         A list of groups applied to the first process run in each container, in
 addition to the container's primary GID and fsGroup (if specified).  If
 the SupplementalGroupsPolicy feature is enabled, the
 supplementalGroupsPolicy field determines whether these are in addition
 to or instead of any group memberships defined in the container image.
 If unspecified, no additional groups are added, though group memberships
 defined in the container image may still be used, depending on the
 supplementalGroupsPolicy field.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated int64 supplementalGroups = 4;
        Parameters:
        index - The index of the element to return.
        Returns:
        The supplementalGroups at the given index.

      • hasSupplementalGroupsPolicy

        boolean hasSupplementalGroupsPolicy()
         Defines how supplemental groups of the first container processes are calculated.
 Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
 (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
 and the container runtime must implement support for this feature.
 Note that this field cannot be set when spec.os.name is windows.
 TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
 +featureGate=SupplementalGroupsPolicy
 +optional
        optional string supplementalGroupsPolicy = 12;
        Returns:
        Whether the supplementalGroupsPolicy field is set.

      • getSupplementalGroupsPolicy

        String getSupplementalGroupsPolicy()
         Defines how supplemental groups of the first container processes are calculated.
 Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
 (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
 and the container runtime must implement support for this feature.
 Note that this field cannot be set when spec.os.name is windows.
 TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
 +featureGate=SupplementalGroupsPolicy
 +optional
        optional string supplementalGroupsPolicy = 12;
        Returns:
        The supplementalGroupsPolicy.

      • getSupplementalGroupsPolicyBytes

        com.google.protobuf.ByteString getSupplementalGroupsPolicyBytes()
         Defines how supplemental groups of the first container processes are calculated.
 Valid values are "Merge" and "Strict". If not specified, "Merge" is used.
 (Alpha) Using the field requires the SupplementalGroupsPolicy feature gate to be enabled
 and the container runtime must implement support for this feature.
 Note that this field cannot be set when spec.os.name is windows.
 TODO: update the default value to "Merge" when spec.os.name is not windows in v1.34
 +featureGate=SupplementalGroupsPolicy
 +optional
        optional string supplementalGroupsPolicy = 12;
        Returns:
        The bytes for supplementalGroupsPolicy.

      • hasFsGroup

        boolean hasFsGroup()
         A special supplemental group that applies to all containers in a pod.
 Some volume types allow the Kubelet to change the ownership of that volume
 to be owned by the pod:

 1. The owning GID will be the FSGroup
 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
 3. The permission bits are OR'd with rw-rw----

 If unset, the Kubelet will not modify the ownership and permissions of any volume.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 fsGroup = 5;
        Returns:
        Whether the fsGroup field is set.

      • getFsGroup

        long getFsGroup()
         A special supplemental group that applies to all containers in a pod.
 Some volume types allow the Kubelet to change the ownership of that volume
 to be owned by the pod:

 1. The owning GID will be the FSGroup
 2. The setgid bit is set (new files created in the volume will be owned by FSGroup)
 3. The permission bits are OR'd with rw-rw----

 If unset, the Kubelet will not modify the ownership and permissions of any volume.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional int64 fsGroup = 5;
        Returns:
        The fsGroup.

      • getSysctlsList

        List<Generated.Sysctl> getSysctlsList()
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;

      • getSysctls

        Generated.Sysctl getSysctls​(int index)
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;

      • getSysctlsCount

        int getSysctlsCount()
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;

      • getSysctlsOrBuilderList

        List<? extends Generated.SysctlOrBuilder> getSysctlsOrBuilderList()
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;

      • getSysctlsOrBuilder

        Generated.SysctlOrBuilder getSysctlsOrBuilder​(int index)
         Sysctls hold a list of namespaced sysctls used for the pod. Pods with unsupported
 sysctls (by the container runtime) might fail to launch.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
 +listType=atomic
        repeated .k8s.io.api.core.v1.Sysctl sysctls = 7;

      • hasFsGroupChangePolicy

        boolean hasFsGroupChangePolicy()
         fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 before being exposed inside Pod. This field will only apply to
 volume types which support fsGroup based ownership(and permissions).
 It will have no effect on ephemeral volume types such as: secret, configmaps
 and emptydir.
 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional string fsGroupChangePolicy = 9;
        Returns:
        Whether the fsGroupChangePolicy field is set.

      • getFsGroupChangePolicy

        String getFsGroupChangePolicy()
         fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 before being exposed inside Pod. This field will only apply to
 volume types which support fsGroup based ownership(and permissions).
 It will have no effect on ephemeral volume types such as: secret, configmaps
 and emptydir.
 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional string fsGroupChangePolicy = 9;
        Returns:
        The fsGroupChangePolicy.

      • getFsGroupChangePolicyBytes

        com.google.protobuf.ByteString getFsGroupChangePolicyBytes()
         fsGroupChangePolicy defines behavior of changing ownership and permission of the volume
 before being exposed inside Pod. This field will only apply to
 volume types which support fsGroup based ownership(and permissions).
 It will have no effect on ephemeral volume types such as: secret, configmaps
 and emptydir.
 Valid values are "OnRootMismatch" and "Always". If not specified, "Always" is used.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional string fsGroupChangePolicy = 9;
        Returns:
        The bytes for fsGroupChangePolicy.

      • hasSeccompProfile

        boolean hasSeccompProfile()
         The seccomp options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SeccompProfile seccompProfile = 10;
        Returns:
        Whether the seccompProfile field is set.

      • getSeccompProfile

        Generated.SeccompProfile getSeccompProfile()
         The seccomp options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SeccompProfile seccompProfile = 10;
        Returns:
        The seccompProfile.

      • getSeccompProfileOrBuilder

        Generated.SeccompProfileOrBuilder getSeccompProfileOrBuilder()
         The seccomp options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.SeccompProfile seccompProfile = 10;

      • hasAppArmorProfile

        boolean hasAppArmorProfile()
         appArmorProfile is the AppArmor options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.AppArmorProfile appArmorProfile = 11;
        Returns:
        Whether the appArmorProfile field is set.

      • getAppArmorProfile

        Generated.AppArmorProfile getAppArmorProfile()
         appArmorProfile is the AppArmor options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.AppArmorProfile appArmorProfile = 11;
        Returns:
        The appArmorProfile.

      • getAppArmorProfileOrBuilder

        Generated.AppArmorProfileOrBuilder getAppArmorProfileOrBuilder()
         appArmorProfile is the AppArmor options to use by the containers in this pod.
 Note that this field cannot be set when spec.os.name is windows.
 +optional
        optional .k8s.io.api.core.v1.AppArmorProfile appArmorProfile = 11;

      • hasSeLinuxChangePolicy

        boolean hasSeLinuxChangePolicy()
         seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
 It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
 Valid values are "MountOption" and "Recursive".

 "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
 This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.

 "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
 This requires all Pods that share the same volume to use the same SELinux label.
 It is not possible to share the same volume among privileged and unprivileged Pods.
 Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
 whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
 CSIDriver instance. Other volumes are always re-labelled recursively.
 "MountOption" value is allowed only when SELinuxMount feature gate is enabled.

 If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
 If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
 and "Recursive" for all other volumes.

 This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.

 All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
 Note that this field cannot be set when spec.os.name is windows.
 +featureGate=SELinuxChangePolicy
 +optional
        optional string seLinuxChangePolicy = 13;
        Returns:
        Whether the seLinuxChangePolicy field is set.

      • getSeLinuxChangePolicy

        String getSeLinuxChangePolicy()
         seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
 It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
 Valid values are "MountOption" and "Recursive".

 "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
 This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.

 "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
 This requires all Pods that share the same volume to use the same SELinux label.
 It is not possible to share the same volume among privileged and unprivileged Pods.
 Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
 whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
 CSIDriver instance. Other volumes are always re-labelled recursively.
 "MountOption" value is allowed only when SELinuxMount feature gate is enabled.

 If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
 If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
 and "Recursive" for all other volumes.

 This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.

 All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
 Note that this field cannot be set when spec.os.name is windows.
 +featureGate=SELinuxChangePolicy
 +optional
        optional string seLinuxChangePolicy = 13;
        Returns:
        The seLinuxChangePolicy.

      • getSeLinuxChangePolicyBytes

        com.google.protobuf.ByteString getSeLinuxChangePolicyBytes()
         seLinuxChangePolicy defines how the container's SELinux label is applied to all volumes used by the Pod.
 It has no effect on nodes that do not support SELinux or to volumes does not support SELinux.
 Valid values are "MountOption" and "Recursive".

 "Recursive" means relabeling of all files on all Pod volumes by the container runtime.
 This may be slow for large volumes, but allows mixing privileged and unprivileged Pods sharing the same volume on the same node.

 "MountOption" mounts all eligible Pod volumes with `-o context` mount option.
 This requires all Pods that share the same volume to use the same SELinux label.
 It is not possible to share the same volume among privileged and unprivileged Pods.
 Eligible volumes are in-tree FibreChannel and iSCSI volumes, and all CSI volumes
 whose CSI driver announces SELinux support by setting spec.seLinuxMount: true in their
 CSIDriver instance. Other volumes are always re-labelled recursively.
 "MountOption" value is allowed only when SELinuxMount feature gate is enabled.

 If not specified and SELinuxMount feature gate is enabled, "MountOption" is used.
 If not specified and SELinuxMount feature gate is disabled, "MountOption" is used for ReadWriteOncePod volumes
 and "Recursive" for all other volumes.

 This field affects only Pods that have SELinux label set, either in PodSecurityContext or in SecurityContext of all containers.

 All Pods that use the same volume should use the same seLinuxChangePolicy, otherwise some pods can get stuck in ContainerCreating state.
 Note that this field cannot be set when spec.os.name is windows.
 +featureGate=SELinuxChangePolicy
 +optional
        optional string seLinuxChangePolicy = 13;
        Returns:
        The bytes for seLinuxChangePolicy.