com.pulumi.kubernetes.extensions.v1beta1.inputs.PodSecurityPolicySpecPatchArgs Maven / Gradle / Ivy
Go to download
Show more of this group Show more artifacts with this name
Show all versions of kubernetes Show documentation
Show all versions of kubernetes Show documentation
A Pulumi package for creating and managing Kubernetes resources.
// *** WARNING: this file was generated by pulumi-java-gen. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
package com.pulumi.kubernetes.extensions.v1beta1.inputs;
import com.pulumi.core.Output;
import com.pulumi.core.annotations.Import;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.AllowedCSIDriverPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.AllowedFlexVolumePatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.AllowedHostPathPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.FSGroupStrategyOptionsPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.HostPortRangePatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.RunAsGroupStrategyOptionsPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.RunAsUserStrategyOptionsPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.RuntimeClassStrategyOptionsPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.SELinuxStrategyOptionsPatchArgs;
import com.pulumi.kubernetes.extensions.v1beta1.inputs.SupplementalGroupsStrategyOptionsPatchArgs;
import java.lang.Boolean;
import java.lang.String;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.annotation.Nullable;
/**
* PodSecurityPolicySpec defines the policy enforced. Deprecated: use PodSecurityPolicySpec from policy API Group instead.
*
*/
public final class PodSecurityPolicySpecPatchArgs extends com.pulumi.resources.ResourceArgs {
public static final PodSecurityPolicySpecPatchArgs Empty = new PodSecurityPolicySpecPatchArgs();
/**
* allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
*
*/
@Import(name="allowPrivilegeEscalation")
private @Nullable Output allowPrivilegeEscalation;
/**
* @return allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
*
*/
public Optional> allowPrivilegeEscalation() {
return Optional.ofNullable(this.allowPrivilegeEscalation);
}
/**
* AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
*
*/
@Import(name="allowedCSIDrivers")
private @Nullable Output> allowedCSIDrivers;
/**
* @return AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
*
*/
public Optional>> allowedCSIDrivers() {
return Optional.ofNullable(this.allowedCSIDrivers);
}
/**
* allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
*
*/
@Import(name="allowedCapabilities")
private @Nullable Output> allowedCapabilities;
/**
* @return allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
*
*/
public Optional>> allowedCapabilities() {
return Optional.ofNullable(this.allowedCapabilities);
}
/**
* allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
*
*/
@Import(name="allowedFlexVolumes")
private @Nullable Output> allowedFlexVolumes;
/**
* @return allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
*
*/
public Optional>> allowedFlexVolumes() {
return Optional.ofNullable(this.allowedFlexVolumes);
}
/**
* allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
*
*/
@Import(name="allowedHostPaths")
private @Nullable Output> allowedHostPaths;
/**
* @return allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
*
*/
public Optional>> allowedHostPaths() {
return Optional.ofNullable(this.allowedHostPaths);
}
/**
* AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
*
*/
@Import(name="allowedProcMountTypes")
private @Nullable Output> allowedProcMountTypes;
/**
* @return AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
*
*/
public Optional>> allowedProcMountTypes() {
return Optional.ofNullable(this.allowedProcMountTypes);
}
/**
* allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
*
* Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
*
*/
@Import(name="allowedUnsafeSysctls")
private @Nullable Output> allowedUnsafeSysctls;
/**
* @return allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
*
* Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
*
*/
public Optional>> allowedUnsafeSysctls() {
return Optional.ofNullable(this.allowedUnsafeSysctls);
}
/**
* defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
*
*/
@Import(name="defaultAddCapabilities")
private @Nullable Output> defaultAddCapabilities;
/**
* @return defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
*
*/
public Optional>> defaultAddCapabilities() {
return Optional.ofNullable(this.defaultAddCapabilities);
}
/**
* defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
*
*/
@Import(name="defaultAllowPrivilegeEscalation")
private @Nullable Output defaultAllowPrivilegeEscalation;
/**
* @return defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
*
*/
public Optional> defaultAllowPrivilegeEscalation() {
return Optional.ofNullable(this.defaultAllowPrivilegeEscalation);
}
/**
* forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
*
* Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
*
*/
@Import(name="forbiddenSysctls")
private @Nullable Output> forbiddenSysctls;
/**
* @return forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
*
* Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
*
*/
public Optional>> forbiddenSysctls() {
return Optional.ofNullable(this.forbiddenSysctls);
}
/**
* fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
*
*/
@Import(name="fsGroup")
private @Nullable Output fsGroup;
/**
* @return fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
*
*/
public Optional> fsGroup() {
return Optional.ofNullable(this.fsGroup);
}
/**
* hostIPC determines if the policy allows the use of HostIPC in the pod spec.
*
*/
@Import(name="hostIPC")
private @Nullable Output hostIPC;
/**
* @return hostIPC determines if the policy allows the use of HostIPC in the pod spec.
*
*/
public Optional> hostIPC() {
return Optional.ofNullable(this.hostIPC);
}
/**
* hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
*
*/
@Import(name="hostNetwork")
private @Nullable Output hostNetwork;
/**
* @return hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
*
*/
public Optional> hostNetwork() {
return Optional.ofNullable(this.hostNetwork);
}
/**
* hostPID determines if the policy allows the use of HostPID in the pod spec.
*
*/
@Import(name="hostPID")
private @Nullable Output hostPID;
/**
* @return hostPID determines if the policy allows the use of HostPID in the pod spec.
*
*/
public Optional> hostPID() {
return Optional.ofNullable(this.hostPID);
}
/**
* hostPorts determines which host port ranges are allowed to be exposed.
*
*/
@Import(name="hostPorts")
private @Nullable Output> hostPorts;
/**
* @return hostPorts determines which host port ranges are allowed to be exposed.
*
*/
public Optional>> hostPorts() {
return Optional.ofNullable(this.hostPorts);
}
/**
* privileged determines if a pod can request to be run as privileged.
*
*/
@Import(name="privileged")
private @Nullable Output privileged;
/**
* @return privileged determines if a pod can request to be run as privileged.
*
*/
public Optional> privileged() {
return Optional.ofNullable(this.privileged);
}
/**
* readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
*
*/
@Import(name="readOnlyRootFilesystem")
private @Nullable Output readOnlyRootFilesystem;
/**
* @return readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
*
*/
public Optional> readOnlyRootFilesystem() {
return Optional.ofNullable(this.readOnlyRootFilesystem);
}
/**
* requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
*
*/
@Import(name="requiredDropCapabilities")
private @Nullable Output> requiredDropCapabilities;
/**
* @return requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
*
*/
public Optional>> requiredDropCapabilities() {
return Optional.ofNullable(this.requiredDropCapabilities);
}
/**
* RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
*
*/
@Import(name="runAsGroup")
private @Nullable Output runAsGroup;
/**
* @return RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
*
*/
public Optional> runAsGroup() {
return Optional.ofNullable(this.runAsGroup);
}
/**
* runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
*
*/
@Import(name="runAsUser")
private @Nullable Output runAsUser;
/**
* @return runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
*
*/
public Optional> runAsUser() {
return Optional.ofNullable(this.runAsUser);
}
/**
* runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
*
*/
@Import(name="runtimeClass")
private @Nullable Output runtimeClass;
/**
* @return runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
*
*/
public Optional> runtimeClass() {
return Optional.ofNullable(this.runtimeClass);
}
/**
* seLinux is the strategy that will dictate the allowable labels that may be set.
*
*/
@Import(name="seLinux")
private @Nullable Output seLinux;
/**
* @return seLinux is the strategy that will dictate the allowable labels that may be set.
*
*/
public Optional> seLinux() {
return Optional.ofNullable(this.seLinux);
}
/**
* supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
*
*/
@Import(name="supplementalGroups")
private @Nullable Output supplementalGroups;
/**
* @return supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
*
*/
public Optional> supplementalGroups() {
return Optional.ofNullable(this.supplementalGroups);
}
/**
* volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
*
*/
@Import(name="volumes")
private @Nullable Output> volumes;
/**
* @return volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
*
*/
public Optional>> volumes() {
return Optional.ofNullable(this.volumes);
}
private PodSecurityPolicySpecPatchArgs() {}
private PodSecurityPolicySpecPatchArgs(PodSecurityPolicySpecPatchArgs $) {
this.allowPrivilegeEscalation = $.allowPrivilegeEscalation;
this.allowedCSIDrivers = $.allowedCSIDrivers;
this.allowedCapabilities = $.allowedCapabilities;
this.allowedFlexVolumes = $.allowedFlexVolumes;
this.allowedHostPaths = $.allowedHostPaths;
this.allowedProcMountTypes = $.allowedProcMountTypes;
this.allowedUnsafeSysctls = $.allowedUnsafeSysctls;
this.defaultAddCapabilities = $.defaultAddCapabilities;
this.defaultAllowPrivilegeEscalation = $.defaultAllowPrivilegeEscalation;
this.forbiddenSysctls = $.forbiddenSysctls;
this.fsGroup = $.fsGroup;
this.hostIPC = $.hostIPC;
this.hostNetwork = $.hostNetwork;
this.hostPID = $.hostPID;
this.hostPorts = $.hostPorts;
this.privileged = $.privileged;
this.readOnlyRootFilesystem = $.readOnlyRootFilesystem;
this.requiredDropCapabilities = $.requiredDropCapabilities;
this.runAsGroup = $.runAsGroup;
this.runAsUser = $.runAsUser;
this.runtimeClass = $.runtimeClass;
this.seLinux = $.seLinux;
this.supplementalGroups = $.supplementalGroups;
this.volumes = $.volumes;
}
public static Builder builder() {
return new Builder();
}
public static Builder builder(PodSecurityPolicySpecPatchArgs defaults) {
return new Builder(defaults);
}
public static final class Builder {
private PodSecurityPolicySpecPatchArgs $;
public Builder() {
$ = new PodSecurityPolicySpecPatchArgs();
}
public Builder(PodSecurityPolicySpecPatchArgs defaults) {
$ = new PodSecurityPolicySpecPatchArgs(Objects.requireNonNull(defaults));
}
/**
* @param allowPrivilegeEscalation allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
*
* @return builder
*
*/
public Builder allowPrivilegeEscalation(@Nullable Output allowPrivilegeEscalation) {
$.allowPrivilegeEscalation = allowPrivilegeEscalation;
return this;
}
/**
* @param allowPrivilegeEscalation allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
*
* @return builder
*
*/
public Builder allowPrivilegeEscalation(Boolean allowPrivilegeEscalation) {
return allowPrivilegeEscalation(Output.of(allowPrivilegeEscalation));
}
/**
* @param allowedCSIDrivers AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
*
* @return builder
*
*/
public Builder allowedCSIDrivers(@Nullable Output> allowedCSIDrivers) {
$.allowedCSIDrivers = allowedCSIDrivers;
return this;
}
/**
* @param allowedCSIDrivers AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
*
* @return builder
*
*/
public Builder allowedCSIDrivers(List allowedCSIDrivers) {
return allowedCSIDrivers(Output.of(allowedCSIDrivers));
}
/**
* @param allowedCSIDrivers AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
*
* @return builder
*
*/
public Builder allowedCSIDrivers(AllowedCSIDriverPatchArgs... allowedCSIDrivers) {
return allowedCSIDrivers(List.of(allowedCSIDrivers));
}
/**
* @param allowedCapabilities allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
*
* @return builder
*
*/
public Builder allowedCapabilities(@Nullable Output> allowedCapabilities) {
$.allowedCapabilities = allowedCapabilities;
return this;
}
/**
* @param allowedCapabilities allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
*
* @return builder
*
*/
public Builder allowedCapabilities(List allowedCapabilities) {
return allowedCapabilities(Output.of(allowedCapabilities));
}
/**
* @param allowedCapabilities allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
*
* @return builder
*
*/
public Builder allowedCapabilities(String... allowedCapabilities) {
return allowedCapabilities(List.of(allowedCapabilities));
}
/**
* @param allowedFlexVolumes allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
*
* @return builder
*
*/
public Builder allowedFlexVolumes(@Nullable Output> allowedFlexVolumes) {
$.allowedFlexVolumes = allowedFlexVolumes;
return this;
}
/**
* @param allowedFlexVolumes allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
*
* @return builder
*
*/
public Builder allowedFlexVolumes(List allowedFlexVolumes) {
return allowedFlexVolumes(Output.of(allowedFlexVolumes));
}
/**
* @param allowedFlexVolumes allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
*
* @return builder
*
*/
public Builder allowedFlexVolumes(AllowedFlexVolumePatchArgs... allowedFlexVolumes) {
return allowedFlexVolumes(List.of(allowedFlexVolumes));
}
/**
* @param allowedHostPaths allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
*
* @return builder
*
*/
public Builder allowedHostPaths(@Nullable Output> allowedHostPaths) {
$.allowedHostPaths = allowedHostPaths;
return this;
}
/**
* @param allowedHostPaths allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
*
* @return builder
*
*/
public Builder allowedHostPaths(List allowedHostPaths) {
return allowedHostPaths(Output.of(allowedHostPaths));
}
/**
* @param allowedHostPaths allowedHostPaths is a white list of allowed host paths. Empty indicates that all host paths may be used.
*
* @return builder
*
*/
public Builder allowedHostPaths(AllowedHostPathPatchArgs... allowedHostPaths) {
return allowedHostPaths(List.of(allowedHostPaths));
}
/**
* @param allowedProcMountTypes AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
*
* @return builder
*
*/
public Builder allowedProcMountTypes(@Nullable Output> allowedProcMountTypes) {
$.allowedProcMountTypes = allowedProcMountTypes;
return this;
}
/**
* @param allowedProcMountTypes AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
*
* @return builder
*
*/
public Builder allowedProcMountTypes(List allowedProcMountTypes) {
return allowedProcMountTypes(Output.of(allowedProcMountTypes));
}
/**
* @param allowedProcMountTypes AllowedProcMountTypes is a whitelist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
*
* @return builder
*
*/
public Builder allowedProcMountTypes(String... allowedProcMountTypes) {
return allowedProcMountTypes(List.of(allowedProcMountTypes));
}
/**
* @param allowedUnsafeSysctls allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
*
* Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
*
* @return builder
*
*/
public Builder allowedUnsafeSysctls(@Nullable Output> allowedUnsafeSysctls) {
$.allowedUnsafeSysctls = allowedUnsafeSysctls;
return this;
}
/**
* @param allowedUnsafeSysctls allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
*
* Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
*
* @return builder
*
*/
public Builder allowedUnsafeSysctls(List allowedUnsafeSysctls) {
return allowedUnsafeSysctls(Output.of(allowedUnsafeSysctls));
}
/**
* @param allowedUnsafeSysctls allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
*
* Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
*
* @return builder
*
*/
public Builder allowedUnsafeSysctls(String... allowedUnsafeSysctls) {
return allowedUnsafeSysctls(List.of(allowedUnsafeSysctls));
}
/**
* @param defaultAddCapabilities defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
*
* @return builder
*
*/
public Builder defaultAddCapabilities(@Nullable Output> defaultAddCapabilities) {
$.defaultAddCapabilities = defaultAddCapabilities;
return this;
}
/**
* @param defaultAddCapabilities defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
*
* @return builder
*
*/
public Builder defaultAddCapabilities(List defaultAddCapabilities) {
return defaultAddCapabilities(Output.of(defaultAddCapabilities));
}
/**
* @param defaultAddCapabilities defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
*
* @return builder
*
*/
public Builder defaultAddCapabilities(String... defaultAddCapabilities) {
return defaultAddCapabilities(List.of(defaultAddCapabilities));
}
/**
* @param defaultAllowPrivilegeEscalation defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
*
* @return builder
*
*/
public Builder defaultAllowPrivilegeEscalation(@Nullable Output defaultAllowPrivilegeEscalation) {
$.defaultAllowPrivilegeEscalation = defaultAllowPrivilegeEscalation;
return this;
}
/**
* @param defaultAllowPrivilegeEscalation defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
*
* @return builder
*
*/
public Builder defaultAllowPrivilegeEscalation(Boolean defaultAllowPrivilegeEscalation) {
return defaultAllowPrivilegeEscalation(Output.of(defaultAllowPrivilegeEscalation));
}
/**
* @param forbiddenSysctls forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
*
* Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
*
* @return builder
*
*/
public Builder forbiddenSysctls(@Nullable Output> forbiddenSysctls) {
$.forbiddenSysctls = forbiddenSysctls;
return this;
}
/**
* @param forbiddenSysctls forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
*
* Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
*
* @return builder
*
*/
public Builder forbiddenSysctls(List forbiddenSysctls) {
return forbiddenSysctls(Output.of(forbiddenSysctls));
}
/**
* @param forbiddenSysctls forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
*
* Examples: e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
*
* @return builder
*
*/
public Builder forbiddenSysctls(String... forbiddenSysctls) {
return forbiddenSysctls(List.of(forbiddenSysctls));
}
/**
* @param fsGroup fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
*
* @return builder
*
*/
public Builder fsGroup(@Nullable Output fsGroup) {
$.fsGroup = fsGroup;
return this;
}
/**
* @param fsGroup fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
*
* @return builder
*
*/
public Builder fsGroup(FSGroupStrategyOptionsPatchArgs fsGroup) {
return fsGroup(Output.of(fsGroup));
}
/**
* @param hostIPC hostIPC determines if the policy allows the use of HostIPC in the pod spec.
*
* @return builder
*
*/
public Builder hostIPC(@Nullable Output hostIPC) {
$.hostIPC = hostIPC;
return this;
}
/**
* @param hostIPC hostIPC determines if the policy allows the use of HostIPC in the pod spec.
*
* @return builder
*
*/
public Builder hostIPC(Boolean hostIPC) {
return hostIPC(Output.of(hostIPC));
}
/**
* @param hostNetwork hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
*
* @return builder
*
*/
public Builder hostNetwork(@Nullable Output hostNetwork) {
$.hostNetwork = hostNetwork;
return this;
}
/**
* @param hostNetwork hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
*
* @return builder
*
*/
public Builder hostNetwork(Boolean hostNetwork) {
return hostNetwork(Output.of(hostNetwork));
}
/**
* @param hostPID hostPID determines if the policy allows the use of HostPID in the pod spec.
*
* @return builder
*
*/
public Builder hostPID(@Nullable Output hostPID) {
$.hostPID = hostPID;
return this;
}
/**
* @param hostPID hostPID determines if the policy allows the use of HostPID in the pod spec.
*
* @return builder
*
*/
public Builder hostPID(Boolean hostPID) {
return hostPID(Output.of(hostPID));
}
/**
* @param hostPorts hostPorts determines which host port ranges are allowed to be exposed.
*
* @return builder
*
*/
public Builder hostPorts(@Nullable Output> hostPorts) {
$.hostPorts = hostPorts;
return this;
}
/**
* @param hostPorts hostPorts determines which host port ranges are allowed to be exposed.
*
* @return builder
*
*/
public Builder hostPorts(List hostPorts) {
return hostPorts(Output.of(hostPorts));
}
/**
* @param hostPorts hostPorts determines which host port ranges are allowed to be exposed.
*
* @return builder
*
*/
public Builder hostPorts(HostPortRangePatchArgs... hostPorts) {
return hostPorts(List.of(hostPorts));
}
/**
* @param privileged privileged determines if a pod can request to be run as privileged.
*
* @return builder
*
*/
public Builder privileged(@Nullable Output privileged) {
$.privileged = privileged;
return this;
}
/**
* @param privileged privileged determines if a pod can request to be run as privileged.
*
* @return builder
*
*/
public Builder privileged(Boolean privileged) {
return privileged(Output.of(privileged));
}
/**
* @param readOnlyRootFilesystem readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
*
* @return builder
*
*/
public Builder readOnlyRootFilesystem(@Nullable Output readOnlyRootFilesystem) {
$.readOnlyRootFilesystem = readOnlyRootFilesystem;
return this;
}
/**
* @param readOnlyRootFilesystem readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
*
* @return builder
*
*/
public Builder readOnlyRootFilesystem(Boolean readOnlyRootFilesystem) {
return readOnlyRootFilesystem(Output.of(readOnlyRootFilesystem));
}
/**
* @param requiredDropCapabilities requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
*
* @return builder
*
*/
public Builder requiredDropCapabilities(@Nullable Output> requiredDropCapabilities) {
$.requiredDropCapabilities = requiredDropCapabilities;
return this;
}
/**
* @param requiredDropCapabilities requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
*
* @return builder
*
*/
public Builder requiredDropCapabilities(List requiredDropCapabilities) {
return requiredDropCapabilities(Output.of(requiredDropCapabilities));
}
/**
* @param requiredDropCapabilities requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
*
* @return builder
*
*/
public Builder requiredDropCapabilities(String... requiredDropCapabilities) {
return requiredDropCapabilities(List.of(requiredDropCapabilities));
}
/**
* @param runAsGroup RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
*
* @return builder
*
*/
public Builder runAsGroup(@Nullable Output runAsGroup) {
$.runAsGroup = runAsGroup;
return this;
}
/**
* @param runAsGroup RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
*
* @return builder
*
*/
public Builder runAsGroup(RunAsGroupStrategyOptionsPatchArgs runAsGroup) {
return runAsGroup(Output.of(runAsGroup));
}
/**
* @param runAsUser runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
*
* @return builder
*
*/
public Builder runAsUser(@Nullable Output runAsUser) {
$.runAsUser = runAsUser;
return this;
}
/**
* @param runAsUser runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
*
* @return builder
*
*/
public Builder runAsUser(RunAsUserStrategyOptionsPatchArgs runAsUser) {
return runAsUser(Output.of(runAsUser));
}
/**
* @param runtimeClass runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
*
* @return builder
*
*/
public Builder runtimeClass(@Nullable Output runtimeClass) {
$.runtimeClass = runtimeClass;
return this;
}
/**
* @param runtimeClass runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
*
* @return builder
*
*/
public Builder runtimeClass(RuntimeClassStrategyOptionsPatchArgs runtimeClass) {
return runtimeClass(Output.of(runtimeClass));
}
/**
* @param seLinux seLinux is the strategy that will dictate the allowable labels that may be set.
*
* @return builder
*
*/
public Builder seLinux(@Nullable Output seLinux) {
$.seLinux = seLinux;
return this;
}
/**
* @param seLinux seLinux is the strategy that will dictate the allowable labels that may be set.
*
* @return builder
*
*/
public Builder seLinux(SELinuxStrategyOptionsPatchArgs seLinux) {
return seLinux(Output.of(seLinux));
}
/**
* @param supplementalGroups supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
*
* @return builder
*
*/
public Builder supplementalGroups(@Nullable Output supplementalGroups) {
$.supplementalGroups = supplementalGroups;
return this;
}
/**
* @param supplementalGroups supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
*
* @return builder
*
*/
public Builder supplementalGroups(SupplementalGroupsStrategyOptionsPatchArgs supplementalGroups) {
return supplementalGroups(Output.of(supplementalGroups));
}
/**
* @param volumes volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
*
* @return builder
*
*/
public Builder volumes(@Nullable Output> volumes) {
$.volumes = volumes;
return this;
}
/**
* @param volumes volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
*
* @return builder
*
*/
public Builder volumes(List volumes) {
return volumes(Output.of(volumes));
}
/**
* @param volumes volumes is a white list of allowed volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
*
* @return builder
*
*/
public Builder volumes(String... volumes) {
return volumes(List.of(volumes));
}
public PodSecurityPolicySpecPatchArgs build() {
return $;
}
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy