SecurityContext (pkg.pkl-lang.org/pkl-k8s/k8sext:1.1.1) • Packages

Properties(show inherited)

link

hidden

output: ModuleOutput (pkl.base)Source

The output of this module.

Defaults to all module properties rendered as either Pcf or the format specified on the command line.
link

privileged: Boolean?Source

Run container in privileged mode.

Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows.
link

runAsUser: Int?Source

The UID to run the entrypoint of the container process.

Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
link

capabilities: Capabilities?Source

The capabilities to add/drop when running containers.

Defaults to the default set of capabilities granted by the container runtime. Note that this field cannot be set when spec.os.name is windows.
link

seLinuxOptions: SELinuxOptions?Source

The SELinux context to be applied to the container.

If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
link

appArmorProfile: AppArmorProfile?Source

appArmorProfile is the AppArmor options to use by this container.

If set, this profile overrides the pod's appArmorProfile. Note that this field cannot be set when spec.os.name is windows.
link

seccompProfile: SeccompProfile?Source

The seccomp options to use by this container.

If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows.
link

windowsOptions: WindowsSecurityContextOptions?Source

The Windows specific settings applied to all containers.

If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux.
link

procMount: String?Source

procMount denotes the type of proc mount to use for the containers.

The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows.
link

allowPrivilegeEscalation: Boolean?Source

AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process.

This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows.
link

runAsGroup: Int?Source

The GID to run the entrypoint of the container process.

Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows.
link

runAsNonRoot: Boolean?Source

Indicates that the container must run as a non-root user.

If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence.
link

readOnlyRootFilesystem: Boolean?Source

Whether this container has a read-only root filesystem.

Default is false. Note that this field cannot be set when spec.os.name is windows.

Methods(show inherited)

link

function

getClass(): Class (pkl.base)Source

Returns the class of this.
link

function

toString(): String (pkl.base)Source

Returns a string representation of this.

This method is used to convert the values of string interpolation expressions to strings.
link

function

ifNonNull<Result>(transform: (NonNull) -> Result): Result? (pkl.base)Source

Returns this |> transform if this is non-null, and null otherwise.

This method is the complement of the ?? operator and the equivalent of an Option type's map and flatMap methods.
link

function

hasProperty(name: String): Boolean (pkl.base)Source

Tells if this object has a property with the given name.
link

function

getProperty(name: String): unknown (pkl.base)Source

Returns the value of the property with the given name.

Throws if a property with this name does not exist.
link

function

getPropertyOrNull(name: String): unknown? (pkl.base)Source

Returns the value of the property with the given name.

Returns null if a property with this name does not exist.
link

function

toDynamic(): Dynamic (pkl.base)Source

Converts this object to a Dynamic object.
link

function

toMap(): Map<String, unknown> (pkl.base)Source

Converts this object to a Map.
link

function
relativePathTo(other: Module): List<String> (pkl.base)Source

Returns the relative, descendent directory path between this module and other.
Throws if no such path exists.

For example, if module mod1 has path /dir1/mod1.pkl, and module mod2 has path /dir1/dir2/dir3/mod2.pkl, then mod1.relativePathTo(mod2) will return List("dir2", "dir3").

A common use case is to compute the directory path between a template located at the root of a hierarchy (say rootModule.pkl) and the currently evaluated module (accessible via the module keyword):
```
import "rootModule.pkl" // self-import
path = rootModule.relativePathTo(module)
```
link

function

hasUniquePortNames(l: Listing): Boolean (k8s.K8sObject)

Tells if every port in l has a unique name. null names are ignored.
link

function

hasNonNullPortNames(l: Listing): Boolean (k8s.K8sObject)

Tells if every port in l has a non-null name, unless l has just a single port.
link

function

exactlyOneSet(a: Any, b: Any, c: Any): unknown (k8s.K8sObject)

Tells if exactly one of the three arguments is non-null.
link

function

onlyAllowedIf(str: String?, cond: Boolean): unknown (k8s.K8sObject)

Tells if str is only set when cond holds.

Classes(show inherited)

link

class

K8sVersion extends Annotation (k8s.K8sObject)

Indicates Kubernetes version information for the annotated member.
link

class

Capabilities Source

Adds and removes POSIX capabilities from running containers.

Type Aliases(show inherited)

link

typealias
Quantity = DataSize|Int|Float|String(matches(Regex(#"[+-]?(\d+(.\d*)?|\.\d+)([eE][+-]?(\d+(.\d*)?|\.\d+)|m|k|Ki|Mi?|Gi?|Ti?|Pi?|Ei?)?"#))) (k8s.K8sObject)

A fixed-point representation of a number.
Examples:
```
12
12e6
12.34
"12Mi" (12 * 2^20)
"12M"  (12 * 10^6)
12.mb (a [DataSize])
```
link

typealias

Time = String (k8s.K8sObject)

An RFC 3339 date and time value.

Example: "2016-04-21T08:47:53Z"
link

typealias

MicroTime = String (k8s.K8sObject)

A version of Time with microsecond level precision.
link

typealias

PortNumber = Int(isBetween(1, 65535)) (k8s.K8sObject)

A port number.
link

typealias

PortName = String(length <= 15, matches(Regex("[a-z0-9]+(-[a-z0-9]+)*")), contains(Regex("[a-z]"))) (k8s.K8sObject)

A port name conforming to RFC 6335 IANA service name syntax.

Contrary to the RFC, Kubernetes does not allow uppercase letters.
link

typealias

Rfc1035Label = String(length <= 63, matches(Regex("[a-z]([-a-z0-9]*[a-z0-9])?"))) (k8s.K8sObject)

An RFC 1035 DNS label.

Contrary to the RFC, Kubernetes does not allow uppercase letters.
link

typealias

Rfc1123Label = String(length <= 63, matches(Regex("[a-z0-9]([-a-z0-9]*[a-z0-9])?"))) (k8s.K8sObject)

An RFC 1123 DNS label.

Contrary to the RFC, Kubernetes does not allow uppercase letters.
link

typealias

Rfc1123Hostname = String(length <= 253, matches(Regex("[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*"))) (k8s.K8sObject)

An RFC 1123 hostname.

Contrary to the RFC, Kubernetes does not allow uppercase letters.
link

typealias

ApiRequestVerb = "get"|"list"|"watch"|"create"|"update"|"patch"|"delete"|"deletecollection"|"*"|"use"|"bind"|"escalate"|"impersonate"|String (k8s.K8sObject)

API verbs like get, list, create, update, patch, watch, delete, and deletecollection are used for resource requests.

To determine the request verb for a resource API endpoint, see Determine the request verb. CRDs may use verbs outside of the predefined set.
link

typealias

HttpRequestVerb = "get"|"post"|"put"|"delete"|"patch"|"head"|"*" (k8s.K8sObject)

Lowercased HTTP methods like get, post, put, and delete are used for non-resource requests.
link

typealias
FieldsV1 = String (k8s.K8sObject)

FieldsV1 stores a set of fields in a data structure like a Trie, in JSON format.
Each key is either a '.' representing the field itself, and will always map to an empty set, or a string representing a sub-field or item. The string will follow one of these four formats:
- 'f:', where is the name of a field in a struct, or key in a map
- 'v:', where is the exact json formatted value of a list item
- 'i:', where is position of a item in a list
- 'k:', where is a map of a list item's key fields to their unique values
If a key maps to an empty Fields value, the field that key represents is part of the set. The exact format is defined in sigs.k8s.io/structured-merge-diff.
link

typealias

RawExtension = Dynamic (k8s.K8sObject)

RawExtension is used to hold extensions in external versions.

k8s.api.core.v1.SecurityContext1.1.1

Properties(show inherited)

Methods(show inherited)

Classes(show inherited)

Type Aliases(show inherited)