This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Policy Resources

1 - LimitRange

LimitRange sets resource usage limits for each kind of resource in a Namespace.

apiVersion: v1

import "k8s.io/api/core/v1"

LimitRange

LimitRange sets resource usage limits for each kind of resource in a Namespace.


LimitRangeSpec

LimitRangeSpec defines a min/max usage limit for resources that match on kind.


  • limits ([]LimitRangeItem), required

    Limits is the list of LimitRangeItem objects that are enforced.

    LimitRangeItem defines a min/max usage limit for any resource that matches on kind.

    • limits.type (string), required

      Type of resource that this limit applies to.

    • limits.default (map[string]Quantity)

      Default resource requirement limit value by resource name if resource limit is omitted.

    • limits.defaultRequest (map[string]Quantity)

      DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.

    • limits.max (map[string]Quantity)

      Max usage constraints on this kind by resource name.

    • limits.maxLimitRequestRatio (map[string]Quantity)

      MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.

    • limits.min (map[string]Quantity)

      Min usage constraints on this kind by resource name.

LimitRangeList

LimitRangeList is a list of LimitRange items.


Operations


get read the specified LimitRange

HTTP Request

GET /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

401: Unauthorized

list list or watch objects of kind LimitRange

HTTP Request

GET /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (LimitRangeList): OK

401: Unauthorized

list list or watch objects of kind LimitRange

HTTP Request

GET /api/v1/limitranges

Parameters

Response

200 (LimitRangeList): OK

401: Unauthorized

create create a LimitRange

HTTP Request

POST /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (LimitRange): OK

201 (LimitRange): Created

202 (LimitRange): Accepted

401: Unauthorized

update replace the specified LimitRange

HTTP Request

PUT /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • body: LimitRange, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

201 (LimitRange): Created

401: Unauthorized

patch partially update the specified LimitRange

HTTP Request

PATCH /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

  • name (in path): string, required

    name of the LimitRange

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (LimitRange): OK

201 (LimitRange): Created

401: Unauthorized

delete delete a LimitRange

HTTP Request

DELETE /api/v1/namespaces/{namespace}/limitranges/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of LimitRange

HTTP Request

DELETE /api/v1/namespaces/{namespace}/limitranges

Parameters

Response

200 (Status): OK

401: Unauthorized

2 - ResourceQuota

ResourceQuota sets aggregate quota restrictions enforced per namespace.

apiVersion: v1

import "k8s.io/api/core/v1"

ResourceQuota

ResourceQuota sets aggregate quota restrictions enforced per namespace


ResourceQuotaSpec

ResourceQuotaSpec defines the desired hard limits to enforce for Quota.


  • hard (map[string]Quantity)

    hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/

  • scopeSelector (ScopeSelector)

    scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.

    A scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.

    • scopeSelector.matchExpressions ([]ScopedResourceSelectorRequirement)

      A list of scope selector requirements by scope of the resources.

      A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.

      • scopeSelector.matchExpressions.operator (string), required

        Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.

      • scopeSelector.matchExpressions.scopeName (string), required

        The name of the scope that the selector applies to.

      • scopeSelector.matchExpressions.values ([]string)

        An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.

  • scopes ([]string)

    A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.

ResourceQuotaStatus

ResourceQuotaStatus defines the enforced hard limits and observed use.


ResourceQuotaList

ResourceQuotaList is a list of ResourceQuota items.


Operations


get read the specified ResourceQuota

HTTP Request

GET /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

401: Unauthorized

get read status of the specified ResourceQuota

HTTP Request

GET /api/v1/namespaces/{namespace}/resourcequotas/{name}/status

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

401: Unauthorized

list list or watch objects of kind ResourceQuota

HTTP Request

GET /api/v1/namespaces/{namespace}/resourcequotas

Parameters

Response

200 (ResourceQuotaList): OK

401: Unauthorized

list list or watch objects of kind ResourceQuota

HTTP Request

GET /api/v1/resourcequotas

Parameters

Response

200 (ResourceQuotaList): OK

401: Unauthorized

create create a ResourceQuota

HTTP Request

POST /api/v1/namespaces/{namespace}/resourcequotas

Parameters

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

202 (ResourceQuota): Accepted

401: Unauthorized

update replace the specified ResourceQuota

HTTP Request

PUT /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • body: ResourceQuota, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

update replace status of the specified ResourceQuota

HTTP Request

PUT /api/v1/namespaces/{namespace}/resourcequotas/{name}/status

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • body: ResourceQuota, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

patch partially update the specified ResourceQuota

HTTP Request

PATCH /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

patch partially update status of the specified ResourceQuota

HTTP Request

PATCH /api/v1/namespaces/{namespace}/resourcequotas/{name}/status

Parameters

  • name (in path): string, required

    name of the ResourceQuota

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (ResourceQuota): OK

201 (ResourceQuota): Created

401: Unauthorized

delete delete a ResourceQuota

HTTP Request

DELETE /api/v1/namespaces/{namespace}/resourcequotas/{name}

Parameters

Response

200 (ResourceQuota): OK

202 (ResourceQuota): Accepted

401: Unauthorized

deletecollection delete collection of ResourceQuota

HTTP Request

DELETE /api/v1/namespaces/{namespace}/resourcequotas

Parameters

Response

200 (Status): OK

401: Unauthorized

3 - NetworkPolicy

NetworkPolicy describes what network traffic is allowed for a set of Pods.

apiVersion: networking.k8s.io/v1

import "k8s.io/api/networking/v1"

NetworkPolicy

NetworkPolicy describes what network traffic is allowed for a set of Pods


NetworkPolicySpec

NetworkPolicySpec provides the specification of a NetworkPolicy


  • podSelector (LabelSelector), required

    Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.

  • policyTypes ([]string)

    List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8

  • ingress ([]NetworkPolicyIngressRule)

    List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)

    NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.

    • ingress.from ([]NetworkPolicyPeer)

      List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

      NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

      • ingress.from.ipBlock (IPBlock)

        IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

        IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

        • ingress.from.ipBlock.cidr (string), required

          CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"

        • ingress.from.ipBlock.except ([]string)

          Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range

      • ingress.from.namespaceSelector (LabelSelector)

        Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

        If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.

      • ingress.from.podSelector (LabelSelector)

        This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

        If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.

    • ingress.ports ([]NetworkPolicyPort)

      List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

      NetworkPolicyPort describes a port to allow traffic on

      • ingress.ports.port (IntOrString)

        The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

        IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

      • ingress.ports.endPort (int32)

        If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".

      • ingress.ports.protocol (string)

        The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

  • egress ([]NetworkPolicyEgressRule)

    List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8

    NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8

    • egress.to ([]NetworkPolicyPeer)

      List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.

      NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

      • egress.to.ipBlock (IPBlock)

        IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.

        IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.

        • egress.to.ipBlock.cidr (string), required

          CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"

        • egress.to.ipBlock.except ([]string)

          Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range

      • egress.to.namespaceSelector (LabelSelector)

        Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

        If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.

      • egress.to.podSelector (LabelSelector)

        This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

        If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.

    • egress.ports ([]NetworkPolicyPort)

      List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

      NetworkPolicyPort describes a port to allow traffic on

      • egress.ports.port (IntOrString)

        The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.

        IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

      • egress.ports.endPort (int32)

        If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".

      • egress.ports.protocol (string)

        The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

NetworkPolicyList

NetworkPolicyList is a list of NetworkPolicy objects.


Operations


get read the specified NetworkPolicy

HTTP Request

GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

  • name (in path): string, required

    name of the NetworkPolicy

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (NetworkPolicy): OK

401: Unauthorized

list list or watch objects of kind NetworkPolicy

HTTP Request

GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Parameters

Response

200 (NetworkPolicyList): OK

401: Unauthorized

list list or watch objects of kind NetworkPolicy

HTTP Request

GET /apis/networking.k8s.io/v1/networkpolicies

Parameters

Response

200 (NetworkPolicyList): OK

401: Unauthorized

create create a NetworkPolicy

HTTP Request

POST /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Parameters

Response

200 (NetworkPolicy): OK

201 (NetworkPolicy): Created

202 (NetworkPolicy): Accepted

401: Unauthorized

update replace the specified NetworkPolicy

HTTP Request

PUT /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

  • name (in path): string, required

    name of the NetworkPolicy

  • namespace (in path): string, required

    namespace

  • body: NetworkPolicy, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (NetworkPolicy): OK

201 (NetworkPolicy): Created

401: Unauthorized

patch partially update the specified NetworkPolicy

HTTP Request

PATCH /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

  • name (in path): string, required

    name of the NetworkPolicy

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (NetworkPolicy): OK

201 (NetworkPolicy): Created

401: Unauthorized

delete delete a NetworkPolicy

HTTP Request

DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of NetworkPolicy

HTTP Request

DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Parameters

Response

200 (Status): OK

401: Unauthorized

4 - PodDisruptionBudget

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods.

apiVersion: policy/v1

import "k8s.io/api/policy/v1"

PodDisruptionBudget

PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods


PodDisruptionBudgetSpec

PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.


  • maxUnavailable (IntOrString)

    An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".

    IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

  • minAvailable (IntOrString)

    An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".

    IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.

  • selector (LabelSelector)

    Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.

PodDisruptionBudgetStatus

PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.


  • currentHealthy (int32), required

    current number of healthy pods

  • desiredHealthy (int32), required

    minimum desired number of healthy pods

  • disruptionsAllowed (int32), required

    Number of pod disruptions that are currently allowed.

  • expectedPods (int32), required

    total number of pods counted by this disruption budget

  • conditions ([]Condition)

    Patch strategy: merge on key type

    Map: unique values on key type will be kept during a merge

    Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute the number of allowed disruptions. Therefore no disruptions are allowed and the status of the condition will be False.

    • InsufficientPods: The number of pods are either at or below the number required by the PodDisruptionBudget. No disruptions are allowed and the status of the condition will be False.
    • SufficientPods: There are more pods than required by the PodDisruptionBudget. The condition will be True, and the number of allowed disruptions are provided by the disruptionsAllowed property.

    Condition contains details for one aspect of the current state of this API Resource.

    • conditions.lastTransitionTime (Time), required

      lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.

      Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

    • conditions.message (string), required

      message is a human readable message indicating details about the transition. This may be an empty string.

    • conditions.reason (string), required

      reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.

    • conditions.status (string), required

      status of the condition, one of True, False, Unknown.

    • conditions.type (string), required

      type of condition in CamelCase or in foo.example.com/CamelCase.

    • conditions.observedGeneration (int64)

      observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.

  • disruptedPods (map[string]Time)

    DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.

    Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.

  • observedGeneration (int64)

    Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.

PodDisruptionBudgetList

PodDisruptionBudgetList is a collection of PodDisruptionBudgets.


Operations


get read the specified PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

401: Unauthorized

get read status of the specified PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

401: Unauthorized

list list or watch objects of kind PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets

Parameters

Response

200 (PodDisruptionBudgetList): OK

401: Unauthorized

list list or watch objects of kind PodDisruptionBudget

HTTP Request

GET /apis/policy/v1/poddisruptionbudgets

Parameters

Response

200 (PodDisruptionBudgetList): OK

401: Unauthorized

create create a PodDisruptionBudget

HTTP Request

POST /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets

Parameters

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

202 (PodDisruptionBudget): Accepted

401: Unauthorized

update replace the specified PodDisruptionBudget

HTTP Request

PUT /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • body: PodDisruptionBudget, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

update replace status of the specified PodDisruptionBudget

HTTP Request

PUT /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • body: PodDisruptionBudget, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

patch partially update the specified PodDisruptionBudget

HTTP Request

PATCH /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

patch partially update status of the specified PodDisruptionBudget

HTTP Request

PATCH /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status

Parameters

  • name (in path): string, required

    name of the PodDisruptionBudget

  • namespace (in path): string, required

    namespace

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PodDisruptionBudget): OK

201 (PodDisruptionBudget): Created

401: Unauthorized

delete delete a PodDisruptionBudget

HTTP Request

DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}

Parameters

Response

200 (Status): OK

202 (Status): Accepted

401: Unauthorized

deletecollection delete collection of PodDisruptionBudget

HTTP Request

DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets

Parameters

Response

200 (Status): OK

401: Unauthorized

5 - PodSecurityPolicy v1beta1

PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container.

apiVersion: policy/v1beta1

import "k8s.io/api/policy/v1beta1"

PodSecurityPolicy

PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container. Deprecated in 1.21.


PodSecurityPolicySpec

PodSecurityPolicySpec defines the policy enforced.


  • runAsUser (RunAsUserStrategyOptions), required

    runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.

    RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.

    • runAsUser.rule (string), required

      rule is the strategy that will dictate the allowable RunAsUser values that may be set.

    • runAsUser.ranges ([]IDRange)

      ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.

      IDRange provides a min/max of an allowed range of IDs.

      • runAsUser.ranges.max (int64), required

        max is the end of the range, inclusive.

      • runAsUser.ranges.min (int64), required

        min is the start of the range, inclusive.

  • runAsGroup (RunAsGroupStrategyOptions)

    RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.

    RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.

    • runAsGroup.rule (string), required

      rule is the strategy that will dictate the allowable RunAsGroup values that may be set.

    • runAsGroup.ranges ([]IDRange)

      ranges are the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs.

      IDRange provides a min/max of an allowed range of IDs.

      • runAsGroup.ranges.max (int64), required

        max is the end of the range, inclusive.

      • runAsGroup.ranges.min (int64), required

        min is the start of the range, inclusive.

  • fsGroup (FSGroupStrategyOptions), required

    fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.

    FSGroupStrategyOptions defines the strategy type and options used to create the strategy.

    • fsGroup.ranges ([]IDRange)

      ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.

      IDRange provides a min/max of an allowed range of IDs.

      • fsGroup.ranges.max (int64), required

        max is the end of the range, inclusive.

      • fsGroup.ranges.min (int64), required

        min is the start of the range, inclusive.

    • fsGroup.rule (string)

      rule is the strategy that will dictate what FSGroup is used in the SecurityContext.

  • supplementalGroups (SupplementalGroupsStrategyOptions), required

    supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.

    SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.

    • supplementalGroups.ranges ([]IDRange)

      ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs.

      IDRange provides a min/max of an allowed range of IDs.

      • supplementalGroups.ranges.max (int64), required

        max is the end of the range, inclusive.

      • supplementalGroups.ranges.min (int64), required

        min is the start of the range, inclusive.

    • supplementalGroups.rule (string)

      rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.

  • seLinux (SELinuxStrategyOptions), required

    seLinux is the strategy that will dictate the allowable labels that may be set.

    SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.

    • seLinux.rule (string), required

      rule is the strategy that will dictate the allowable labels that may be set.

    • seLinux.seLinuxOptions (SELinuxOptions)

      seLinuxOptions required to run as; required for MustRunAs More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/

      SELinuxOptions are the labels to be applied to the container

      • seLinux.seLinuxOptions.level (string)

        Level is SELinux level label that applies to the container.

      • seLinux.seLinuxOptions.role (string)

        Role is a SELinux role label that applies to the container.

      • seLinux.seLinuxOptions.type (string)

        Type is a SELinux type label that applies to the container.

      • seLinux.seLinuxOptions.user (string)

        User is a SELinux user label that applies to the container.

  • readOnlyRootFilesystem (boolean)

    readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.

  • privileged (boolean)

    privileged determines if a pod can request to be run as privileged.

  • allowPrivilegeEscalation (boolean)

    allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.

  • defaultAllowPrivilegeEscalation (boolean)

    defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.

  • allowedCSIDrivers ([]AllowedCSIDriver)

    AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.

    AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.

    • allowedCSIDrivers.name (string), required

      Name is the registered name of the CSI driver

  • allowedCapabilities ([]string)

    allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.

  • requiredDropCapabilities ([]string)

    requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.

  • defaultAddCapabilities ([]string)

    defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.

  • allowedFlexVolumes ([]AllowedFlexVolume)

    allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.

    AllowedFlexVolume represents a single Flexvolume that is allowed to be used.

    • allowedFlexVolumes.driver (string), required

      driver is the name of the Flexvolume driver.

  • allowedHostPaths ([]AllowedHostPath)

    allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.

    AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.

    • allowedHostPaths.pathPrefix (string)

      pathPrefix is the path prefix that the host volume must match. It does not support *. Trailing slashes are trimmed when validating the path prefix with a host path.

      Examples: /foo would allow /foo, /foo/ and /foo/bar /foo would not allow /food or /etc/foo

    • allowedHostPaths.readOnly (boolean)

      when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.

  • allowedProcMountTypes ([]string)

    AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.

  • allowedUnsafeSysctls ([]string)

    allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.

    Examples: e.g. "foo/" allows "foo/bar", "foo/baz", etc. e.g. "foo." allows "foo.bar", "foo.baz", etc.

  • forbiddenSysctls ([]string)

    forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.

    Examples: e.g. "foo/" forbids "foo/bar", "foo/baz", etc. e.g. "foo." forbids "foo.bar", "foo.baz", etc.

  • hostIPC (boolean)

    hostIPC determines if the policy allows the use of HostIPC in the pod spec.

  • hostNetwork (boolean)

    hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.

  • hostPID (boolean)

    hostPID determines if the policy allows the use of HostPID in the pod spec.

  • hostPorts ([]HostPortRange)

    hostPorts determines which host port ranges are allowed to be exposed.

    HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.

    • hostPorts.max (int32), required

      max is the end of the range, inclusive.

    • hostPorts.min (int32), required

      min is the start of the range, inclusive.

  • runtimeClass (RuntimeClassStrategyOptions)

    runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.

    RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.

    • runtimeClass.allowedRuntimeClassNames ([]string), required

      allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.

    • runtimeClass.defaultRuntimeClassName (string)

      defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.

  • volumes ([]string)

    volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.

PodSecurityPolicyList

PodSecurityPolicyList is a list of PodSecurityPolicy objects.


Operations


get read the specified PodSecurityPolicy

HTTP Request

GET /apis/policy/v1beta1/podsecuritypolicies/{name}

Parameters

  • name (in path): string, required

    name of the PodSecurityPolicy

  • pretty (in query): string

    pretty

Response

200 (PodSecurityPolicy): OK

401: Unauthorized

list list or watch objects of kind PodSecurityPolicy

HTTP Request

GET /apis/policy/v1beta1/podsecuritypolicies

Parameters

Response

200 (PodSecurityPolicyList): OK

401: Unauthorized

create create a PodSecurityPolicy

HTTP Request

POST /apis/policy/v1beta1/podsecuritypolicies

Parameters

Response

200 (PodSecurityPolicy): OK

201 (PodSecurityPolicy): Created

202 (PodSecurityPolicy): Accepted

401: Unauthorized

update replace the specified PodSecurityPolicy

HTTP Request

PUT /apis/policy/v1beta1/podsecuritypolicies/{name}

Parameters

  • name (in path): string, required

    name of the PodSecurityPolicy

  • body: PodSecurityPolicy, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • pretty (in query): string

    pretty

Response

200 (PodSecurityPolicy): OK

201 (PodSecurityPolicy): Created

401: Unauthorized

patch partially update the specified PodSecurityPolicy

HTTP Request

PATCH /apis/policy/v1beta1/podsecuritypolicies/{name}

Parameters

  • name (in path): string, required

    name of the PodSecurityPolicy

  • body: Patch, required

  • dryRun (in query): string

    dryRun

  • fieldManager (in query): string

    fieldManager

  • force (in query): boolean

    force

  • pretty (in query): string

    pretty

Response

200 (PodSecurityPolicy): OK

201 (PodSecurityPolicy): Created

401: Unauthorized

delete delete a PodSecurityPolicy

HTTP Request

DELETE /apis/policy/v1beta1/podsecuritypolicies/{name}

Parameters

Response

200 (PodSecurityPolicy): OK

202 (PodSecurityPolicy): Accepted

401: Unauthorized

deletecollection delete collection of PodSecurityPolicy

HTTP Request

DELETE /apis/policy/v1beta1/podsecuritypolicies

Parameters

Response

200 (Status): OK

401: Unauthorized