package kubecaml

  1. Overview
  2. Docs
package kubecaml
Legend:
Library
Module
Module type
Parameter
Class
Class type

Pod Security Policy Spec defines the policy enforced.

type t
val to_yojson : t -> Yojson.Safe.t
val make : ?volumes:string list -> supplemental_groups: Kubernetes.Definitions.Api.Policy.V1beta1.Supplemental_groups_strategy_options.t -> se_linux: Kubernetes.Definitions.Api.Policy.V1beta1.Se_linux_strategy_options.t -> run_as_user: Kubernetes.Definitions.Api.Policy.V1beta1.Run_as_user_strategy_options.t -> ?required_drop_capabilities:string list -> ?read_only_root_filesystem:bool -> ?privileged:bool -> ?host_ports:Kubernetes.Definitions.Api.Policy.V1beta1.Host_port_range.t list -> ?host_pid:bool -> ?host_network:bool -> ?host_ipc:bool -> fs_group: Kubernetes.Definitions.Api.Policy.V1beta1.Fs_group_strategy_options.t -> ?default_allow_privilege_escalation:bool -> ?default_add_capabilities:string list -> ?allowed_host_paths: Kubernetes.Definitions.Api.Policy.V1beta1.Allowed_host_path.t list -> ?allowed_flex_volumes: Kubernetes.Definitions.Api.Policy.V1beta1.Allowed_flex_volume.t list -> ?allowed_capabilities:string list -> ?allow_privilege_escalation:bool -> unit -> t
val allow_privilege_escalation : t -> bool option

Allow_privilege_escalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.

val allowed_capabilities : t -> string list option

Allowed_capabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both Allowed_capabilities and Required_drop_capabilities.

val allowed_flex_volumes : t -> Kubernetes.Definitions.Api.Policy.V1beta1.Allowed_flex_volume.t list option

Allowed_flex_volumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.

is a white list of allowed host paths. Empty indicates that all host paths may be used.

val default_add_capabilities : t -> string list option

Default_add_capabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both Default_add_capabilities and Required_drop_capabilities. Capabilities added here are implicitly allowed, and need not be included in the Allowed_capabilities list.

val default_allow_privilege_escalation : t -> bool option

Default_allow_privilege_escalation controls the default setting for whether a process can gain more privileges than its parent process.

Fs_group is the strategy that will dictate what fs group is used by the Security_context.

val host_ipc : t -> bool option

host_ipc determines if the policy allows the use of Host_ipc in the pod spec.

val host_network : t -> bool option

host_network determines if the policy allows the use of Host_network in the pod spec.

val host_pid : t -> bool option

host_pid determines if the policy allows the use of Host_pid in the pod spec.

host_ports determines which host port ranges are allowed to be exposed.

val privileged : t -> bool option

privileged determines if a pod can request to be run as privileged.

val read_only_root_filesystem : t -> bool option

Read_only_root_filesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non_read only root file system the Psp should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.

val required_drop_capabilities : t -> string list option

Required_drop_capabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.

run_as_user is the strategy that will dictate the allowable Run_as_user values that may be set.

se_linux is the strategy that will dictate the allowable labels that may be set.

Supplemental_groups is the strategy that will dictate what supplemental groups are used by the Security_context.

val volumes : t -> string list option

volumes is a white list of allowed volume plugins. Empty indicates that all plugins may be used.

module Object : Object.S with type value := t
OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events Blog Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct