1 - LimitRange
apiVersion: v1
import "k8s.io/api/core/v1"
LimitRange
LimitRange sets resource usage limits for each kind of resource in a Namespace.
-
apiVersion: v1
-
kind: LimitRange
-
metadata (ObjectMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
spec (LimitRangeSpec)
Spec defines the limits enforced. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
LimitRangeSpec
LimitRangeSpec defines a min/max usage limit for resources that match on kind.
-
limits ([]LimitRangeItem), required
Limits is the list of LimitRangeItem objects that are enforced.
LimitRangeItem defines a min/max usage limit for any resource that matches on kind.
-
limits.type (string), required
Type of resource that this limit applies to.
-
limits.default (map[string]Quantity)
Default resource requirement limit value by resource name if resource limit is omitted.
-
limits.defaultRequest (map[string]Quantity)
DefaultRequest is the default resource requirement request value by resource name if resource request is omitted.
-
limits.max (map[string]Quantity)
Max usage constraints on this kind by resource name.
-
limits.maxLimitRequestRatio (map[string]Quantity)
MaxLimitRequestRatio if specified, the named resource must have a request and limit that are both non-zero where limit divided by request is less than or equal to the enumerated value; this represents the max burst for the named resource.
-
limits.min (map[string]Quantity)
Min usage constraints on this kind by resource name.
-
LimitRangeList
LimitRangeList is a list of LimitRange items.
-
apiVersion: v1
-
kind: LimitRangeList
-
metadata (ListMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-
items ([]LimitRange), required
Items is a list of LimitRange objects. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
Operations
get
read the specified LimitRange
HTTP Request
GET /api/v1/namespaces/{namespace}/limitranges/{name}
Parameters
-
name (in path): string, required
name of the LimitRange
-
namespace (in path): string, required
-
pretty (in query): string
Response
200 (LimitRange): OK
401: Unauthorized
list
list or watch objects of kind LimitRange
HTTP Request
GET /api/v1/namespaces/{namespace}/limitranges
Parameters
-
namespace (in path): string, required
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (LimitRangeList): OK
401: Unauthorized
list
list or watch objects of kind LimitRange
HTTP Request
GET /api/v1/limitranges
Parameters
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (LimitRangeList): OK
401: Unauthorized
create
create a LimitRange
HTTP Request
POST /api/v1/namespaces/{namespace}/limitranges
Parameters
-
namespace (in path): string, required
-
body: LimitRange, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (LimitRange): OK
201 (LimitRange): Created
202 (LimitRange): Accepted
401: Unauthorized
update
replace the specified LimitRange
HTTP Request
PUT /api/v1/namespaces/{namespace}/limitranges/{name}
Parameters
-
name (in path): string, required
name of the LimitRange
-
namespace (in path): string, required
-
body: LimitRange, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (LimitRange): OK
201 (LimitRange): Created
401: Unauthorized
patch
partially update the specified LimitRange
HTTP Request
PATCH /api/v1/namespaces/{namespace}/limitranges/{name}
Parameters
-
name (in path): string, required
name of the LimitRange
-
namespace (in path): string, required
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (LimitRange): OK
201 (LimitRange): Created
401: Unauthorized
delete
delete a LimitRange
HTTP Request
DELETE /api/v1/namespaces/{namespace}/limitranges/{name}
Parameters
-
name (in path): string, required
name of the LimitRange
-
namespace (in path): string, required
-
body: DeleteOptions
-
dryRun (in query): string
-
gracePeriodSeconds (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of LimitRange
HTTP Request
DELETE /api/v1/namespaces/{namespace}/limitranges
Parameters
-
namespace (in path): string, required
-
body: DeleteOptions
-
continue (in query): string
-
dryRun (in query): string
-
fieldSelector (in query): string
-
gracePeriodSeconds (in query): integer
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
2 - ResourceQuota
apiVersion: v1
import "k8s.io/api/core/v1"
ResourceQuota
ResourceQuota sets aggregate quota restrictions enforced per namespace
-
apiVersion: v1
-
kind: ResourceQuota
-
metadata (ObjectMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
spec (ResourceQuotaSpec)
Spec defines the desired quota. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
-
status (ResourceQuotaStatus)
Status defines the actual enforced quota and its current usage. https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
ResourceQuotaSpec
ResourceQuotaSpec defines the desired hard limits to enforce for Quota.
-
hard (map[string]Quantity)
hard is the set of desired hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
-
scopeSelector (ScopeSelector)
scopeSelector is also a collection of filters like scopes that must match each object tracked by a quota but expressed using ScopeSelectorOperator in combination with possible values. For a resource to match, both scopes AND scopeSelector (if specified in spec), must be matched.
A scope selector represents the AND of the selectors represented by the scoped-resource selector requirements.
-
scopeSelector.matchExpressions ([]ScopedResourceSelectorRequirement)
A list of scope selector requirements by scope of the resources.
A scoped-resource selector requirement is a selector that contains values, a scope name, and an operator that relates the scope name and values.
-
scopeSelector.matchExpressions.operator (string), required
Represents a scope's relationship to a set of values. Valid operators are In, NotIn, Exists, DoesNotExist.
-
scopeSelector.matchExpressions.scopeName (string), required
The name of the scope that the selector applies to.
-
scopeSelector.matchExpressions.values ([]string)
An array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
-
-
-
scopes ([]string)
A collection of filters that must match each object tracked by a quota. If not specified, the quota matches all objects.
ResourceQuotaStatus
ResourceQuotaStatus defines the enforced hard limits and observed use.
-
hard (map[string]Quantity)
Hard is the set of enforced hard limits for each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
-
used (map[string]Quantity)
Used is the current observed total usage of the resource in the namespace.
ResourceQuotaList
ResourceQuotaList is a list of ResourceQuota items.
-
apiVersion: v1
-
kind: ResourceQuotaList
-
metadata (ListMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
-
items ([]ResourceQuota), required
Items is a list of ResourceQuota objects. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/
Operations
get
read the specified ResourceQuota
HTTP Request
GET /api/v1/namespaces/{namespace}/resourcequotas/{name}
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
pretty (in query): string
Response
200 (ResourceQuota): OK
401: Unauthorized
get
read status of the specified ResourceQuota
HTTP Request
GET /api/v1/namespaces/{namespace}/resourcequotas/{name}/status
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
pretty (in query): string
Response
200 (ResourceQuota): OK
401: Unauthorized
list
list or watch objects of kind ResourceQuota
HTTP Request
GET /api/v1/namespaces/{namespace}/resourcequotas
Parameters
-
namespace (in path): string, required
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (ResourceQuotaList): OK
401: Unauthorized
list
list or watch objects of kind ResourceQuota
HTTP Request
GET /api/v1/resourcequotas
Parameters
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (ResourceQuotaList): OK
401: Unauthorized
create
create a ResourceQuota
HTTP Request
POST /api/v1/namespaces/{namespace}/resourcequotas
Parameters
-
namespace (in path): string, required
-
body: ResourceQuota, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (ResourceQuota): OK
201 (ResourceQuota): Created
202 (ResourceQuota): Accepted
401: Unauthorized
update
replace the specified ResourceQuota
HTTP Request
PUT /api/v1/namespaces/{namespace}/resourcequotas/{name}
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
body: ResourceQuota, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (ResourceQuota): OK
201 (ResourceQuota): Created
401: Unauthorized
update
replace status of the specified ResourceQuota
HTTP Request
PUT /api/v1/namespaces/{namespace}/resourcequotas/{name}/status
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
body: ResourceQuota, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (ResourceQuota): OK
201 (ResourceQuota): Created
401: Unauthorized
patch
partially update the specified ResourceQuota
HTTP Request
PATCH /api/v1/namespaces/{namespace}/resourcequotas/{name}
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (ResourceQuota): OK
201 (ResourceQuota): Created
401: Unauthorized
patch
partially update status of the specified ResourceQuota
HTTP Request
PATCH /api/v1/namespaces/{namespace}/resourcequotas/{name}/status
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (ResourceQuota): OK
201 (ResourceQuota): Created
401: Unauthorized
delete
delete a ResourceQuota
HTTP Request
DELETE /api/v1/namespaces/{namespace}/resourcequotas/{name}
Parameters
-
name (in path): string, required
name of the ResourceQuota
-
namespace (in path): string, required
-
body: DeleteOptions
-
dryRun (in query): string
-
gracePeriodSeconds (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
Response
200 (ResourceQuota): OK
202 (ResourceQuota): Accepted
401: Unauthorized
deletecollection
delete collection of ResourceQuota
HTTP Request
DELETE /api/v1/namespaces/{namespace}/resourcequotas
Parameters
-
namespace (in path): string, required
-
body: DeleteOptions
-
continue (in query): string
-
dryRun (in query): string
-
fieldSelector (in query): string
-
gracePeriodSeconds (in query): integer
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
3 - NetworkPolicy
apiVersion: networking.k8s.io/v1
import "k8s.io/api/networking/v1"
NetworkPolicy
NetworkPolicy describes what network traffic is allowed for a set of Pods
-
apiVersion: networking.k8s.io/v1
-
kind: NetworkPolicy
-
metadata (ObjectMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
spec (NetworkPolicySpec)
Specification of the desired behavior for this NetworkPolicy.
NetworkPolicySpec
NetworkPolicySpec provides the specification of a NetworkPolicy
-
podSelector (LabelSelector), required
Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.
-
policyTypes ([]string)
List of rule types that the NetworkPolicy relates to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8
-
ingress ([]NetworkPolicyIngressRule)
List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)
NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
-
ingress.from ([]NetworkPolicyPeer)
List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.
NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
-
ingress.from.ipBlock (IPBlock)
IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.
-
ingress.from.ipBlock.cidr (string), required
CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
-
ingress.from.ipBlock.except ([]string)
Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
-
-
ingress.from.namespaceSelector (LabelSelector)
Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
-
ingress.from.podSelector (LabelSelector)
This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
-
-
ingress.ports ([]NetworkPolicyPort)
List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
NetworkPolicyPort describes a port to allow traffic on
-
ingress.ports.port (IntOrString)
The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
-
ingress.ports.endPort (int32)
If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
-
ingress.ports.protocol (string)
The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
-
-
-
egress ([]NetworkPolicyEgressRule)
List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8
NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8
-
egress.to ([]NetworkPolicyPeer)
List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.
NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
-
egress.to.ipBlock (IPBlock)
IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.
IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.
-
egress.to.ipBlock.cidr (string), required
CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64"
-
egress.to.ipBlock.except ([]string)
Except is a slice of CIDRs that should not be included within an IP Block Valid examples are "192.168.1.1/24" or "2001:db9::/64" Except values will be rejected if they are outside the CIDR range
-
-
egress.to.namespaceSelector (LabelSelector)
Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.
If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
-
egress.to.podSelector (LabelSelector)
This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.
If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
-
-
egress.ports ([]NetworkPolicyPort)
List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.
NetworkPolicyPort describes a port to allow traffic on
-
egress.ports.port (IntOrString)
The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.
IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
-
egress.ports.endPort (int32)
If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port. This feature is in Beta state and is enabled by default. It can be disabled using the Feature Gate "NetworkPolicyEndPort".
-
egress.ports.protocol (string)
The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.
-
-
NetworkPolicyList
NetworkPolicyList is a list of NetworkPolicy objects.
-
apiVersion: networking.k8s.io/v1
-
kind: NetworkPolicyList
-
metadata (ListMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
items ([]NetworkPolicy), required
Items is a list of schema objects.
Operations
get
read the specified NetworkPolicy
HTTP Request
GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}
Parameters
-
name (in path): string, required
name of the NetworkPolicy
-
namespace (in path): string, required
-
pretty (in query): string
Response
200 (NetworkPolicy): OK
401: Unauthorized
list
list or watch objects of kind NetworkPolicy
HTTP Request
GET /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies
Parameters
-
namespace (in path): string, required
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (NetworkPolicyList): OK
401: Unauthorized
list
list or watch objects of kind NetworkPolicy
HTTP Request
GET /apis/networking.k8s.io/v1/networkpolicies
Parameters
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (NetworkPolicyList): OK
401: Unauthorized
create
create a NetworkPolicy
HTTP Request
POST /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies
Parameters
-
namespace (in path): string, required
-
body: NetworkPolicy, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (NetworkPolicy): OK
201 (NetworkPolicy): Created
202 (NetworkPolicy): Accepted
401: Unauthorized
update
replace the specified NetworkPolicy
HTTP Request
PUT /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}
Parameters
-
name (in path): string, required
name of the NetworkPolicy
-
namespace (in path): string, required
-
body: NetworkPolicy, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (NetworkPolicy): OK
201 (NetworkPolicy): Created
401: Unauthorized
patch
partially update the specified NetworkPolicy
HTTP Request
PATCH /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}
Parameters
-
name (in path): string, required
name of the NetworkPolicy
-
namespace (in path): string, required
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (NetworkPolicy): OK
201 (NetworkPolicy): Created
401: Unauthorized
delete
delete a NetworkPolicy
HTTP Request
DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}
Parameters
-
name (in path): string, required
name of the NetworkPolicy
-
namespace (in path): string, required
-
body: DeleteOptions
-
dryRun (in query): string
-
gracePeriodSeconds (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of NetworkPolicy
HTTP Request
DELETE /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies
Parameters
-
namespace (in path): string, required
-
body: DeleteOptions
-
continue (in query): string
-
dryRun (in query): string
-
fieldSelector (in query): string
-
gracePeriodSeconds (in query): integer
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
4 - PodDisruptionBudget
apiVersion: policy/v1
import "k8s.io/api/policy/v1"
PodDisruptionBudget
PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
-
apiVersion: policy/v1
-
kind: PodDisruptionBudget
-
metadata (ObjectMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
spec (PodDisruptionBudgetSpec)
Specification of the desired behavior of the PodDisruptionBudget.
-
status (PodDisruptionBudgetStatus)
Most recently observed status of the PodDisruptionBudget.
PodDisruptionBudgetSpec
PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
-
maxUnavailable (IntOrString)
An eviction is allowed if at most "maxUnavailable" pods selected by "selector" are unavailable after the eviction, i.e. even in absence of the evicted pod. For example, one can prevent all voluntary evictions by specifying 0. This is a mutually exclusive setting with "minAvailable".
IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
-
minAvailable (IntOrString)
An eviction is allowed if at least "minAvailable" pods selected by "selector" will still be available after the eviction, i.e. even in the absence of the evicted pod. So for example you can prevent all voluntary evictions by specifying "100%".
IntOrString is a type that can hold an int32 or a string. When used in JSON or YAML marshalling and unmarshalling, it produces or consumes the inner type. This allows you to have, for example, a JSON field that can accept a name or number.
-
selector (LabelSelector)
Label query over pods whose evictions are managed by the disruption budget. A null selector will match no pods, while an empty ({}) selector will select all pods within the namespace.
PodDisruptionBudgetStatus
PodDisruptionBudgetStatus represents information about the status of a PodDisruptionBudget. Status may trail the actual state of a system.
-
currentHealthy (int32), required
current number of healthy pods
-
desiredHealthy (int32), required
minimum desired number of healthy pods
-
disruptionsAllowed (int32), required
Number of pod disruptions that are currently allowed.
-
expectedPods (int32), required
total number of pods counted by this disruption budget
-
conditions ([]Condition)
Patch strategy: merge on key
type
Map: unique values on key type will be kept during a merge
Conditions contain conditions for PDB. The disruption controller sets the DisruptionAllowed condition. The following are known values for the reason field (additional reasons could be added in the future): - SyncFailed: The controller encountered an error and wasn't able to compute the number of allowed disruptions. Therefore no disruptions are allowed and the status of the condition will be False.
- InsufficientPods: The number of pods are either at or below the number required by the PodDisruptionBudget. No disruptions are allowed and the status of the condition will be False.
- SufficientPods: There are more pods than required by the PodDisruptionBudget. The condition will be True, and the number of allowed disruptions are provided by the disruptionsAllowed property.
Condition contains details for one aspect of the current state of this API Resource.
-
conditions.lastTransitionTime (Time), required
lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
-
conditions.message (string), required
message is a human readable message indicating details about the transition. This may be an empty string.
-
conditions.reason (string), required
reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty.
-
conditions.status (string), required
status of the condition, one of True, False, Unknown.
-
conditions.type (string), required
type of condition in CamelCase or in foo.example.com/CamelCase.
-
conditions.observedGeneration (int64)
observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance.
-
disruptedPods (map[string]Time)
DisruptedPods contains information about pods whose eviction was processed by the API server eviction subresource handler but has not yet been observed by the PodDisruptionBudget controller. A pod will be in this map from the time when the API server processed the eviction request to the time when the pod is seen by PDB controller as having been marked for deletion (or after a timeout). The key in the map is the name of the pod and the value is the time when the API server processed the eviction request. If the deletion didn't occur and a pod is still there it will be removed from the list automatically by PodDisruptionBudget controller after some time. If everything goes smooth this map should be empty for the most of the time. Large number of entries in the map may indicate problems with pod deletions.
Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers.
-
observedGeneration (int64)
Most recent generation observed when updating this PDB status. DisruptionsAllowed and other status information is valid only if observedGeneration equals to PDB's object generation.
PodDisruptionBudgetList
PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
-
apiVersion: policy/v1
-
kind: PodDisruptionBudgetList
-
metadata (ListMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
items ([]PodDisruptionBudget), required
Items is a list of PodDisruptionBudgets
Operations
get
read the specified PodDisruptionBudget
HTTP Request
GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
401: Unauthorized
get
read status of the specified PodDisruptionBudget
HTTP Request
GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
401: Unauthorized
list
list or watch objects of kind PodDisruptionBudget
HTTP Request
GET /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets
Parameters
-
namespace (in path): string, required
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (PodDisruptionBudgetList): OK
401: Unauthorized
list
list or watch objects of kind PodDisruptionBudget
HTTP Request
GET /apis/policy/v1/poddisruptionbudgets
Parameters
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (PodDisruptionBudgetList): OK
401: Unauthorized
create
create a PodDisruptionBudget
HTTP Request
POST /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets
Parameters
-
namespace (in path): string, required
-
body: PodDisruptionBudget, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
201 (PodDisruptionBudget): Created
202 (PodDisruptionBudget): Accepted
401: Unauthorized
update
replace the specified PodDisruptionBudget
HTTP Request
PUT /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
body: PodDisruptionBudget, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
201 (PodDisruptionBudget): Created
401: Unauthorized
update
replace status of the specified PodDisruptionBudget
HTTP Request
PUT /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
body: PodDisruptionBudget, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
201 (PodDisruptionBudget): Created
401: Unauthorized
patch
partially update the specified PodDisruptionBudget
HTTP Request
PATCH /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
201 (PodDisruptionBudget): Created
401: Unauthorized
patch
partially update status of the specified PodDisruptionBudget
HTTP Request
PATCH /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}/status
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (PodDisruptionBudget): OK
201 (PodDisruptionBudget): Created
401: Unauthorized
delete
delete a PodDisruptionBudget
HTTP Request
DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets/{name}
Parameters
-
name (in path): string, required
name of the PodDisruptionBudget
-
namespace (in path): string, required
-
body: DeleteOptions
-
dryRun (in query): string
-
gracePeriodSeconds (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
Response
200 (Status): OK
202 (Status): Accepted
401: Unauthorized
deletecollection
delete collection of PodDisruptionBudget
HTTP Request
DELETE /apis/policy/v1/namespaces/{namespace}/poddisruptionbudgets
Parameters
-
namespace (in path): string, required
-
body: DeleteOptions
-
continue (in query): string
-
dryRun (in query): string
-
fieldSelector (in query): string
-
gracePeriodSeconds (in query): integer
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized
5 - PodSecurityPolicy v1beta1
apiVersion: policy/v1beta1
import "k8s.io/api/policy/v1beta1"
PodSecurityPolicy
PodSecurityPolicy governs the ability to make requests that affect the Security Context that will be applied to a pod and container. Deprecated in 1.21.
-
apiVersion: policy/v1beta1
-
kind: PodSecurityPolicy
-
metadata (ObjectMeta)
Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
spec (PodSecurityPolicySpec)
spec defines the policy enforced.
PodSecurityPolicySpec
PodSecurityPolicySpec defines the policy enforced.
-
runAsUser (RunAsUserStrategyOptions), required
runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
-
runAsUser.rule (string), required
rule is the strategy that will dictate the allowable RunAsUser values that may be set.
-
runAsUser.ranges ([]IDRange)
ranges are the allowed ranges of uids that may be used. If you would like to force a single uid then supply a single range with the same start and end. Required for MustRunAs.
IDRange provides a min/max of an allowed range of IDs.
-
runAsUser.ranges.max (int64), required
max is the end of the range, inclusive.
-
runAsUser.ranges.min (int64), required
min is the start of the range, inclusive.
-
-
-
runAsGroup (RunAsGroupStrategyOptions)
RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set. If this field is omitted, the pod's RunAsGroup can take any value. This field requires the RunAsGroup feature gate to be enabled.
RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.
-
runAsGroup.rule (string), required
rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
-
runAsGroup.ranges ([]IDRange)
ranges are the allowed ranges of gids that may be used. If you would like to force a single gid then supply a single range with the same start and end. Required for MustRunAs.
IDRange provides a min/max of an allowed range of IDs.
-
runAsGroup.ranges.max (int64), required
max is the end of the range, inclusive.
-
runAsGroup.ranges.min (int64), required
min is the start of the range, inclusive.
-
-
-
fsGroup (FSGroupStrategyOptions), required
fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
-
fsGroup.ranges ([]IDRange)
ranges are the allowed ranges of fs groups. If you would like to force a single fs group then supply a single range with the same start and end. Required for MustRunAs.
IDRange provides a min/max of an allowed range of IDs.
-
fsGroup.ranges.max (int64), required
max is the end of the range, inclusive.
-
fsGroup.ranges.min (int64), required
min is the start of the range, inclusive.
-
-
fsGroup.rule (string)
rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
-
-
supplementalGroups (SupplementalGroupsStrategyOptions), required
supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
-
supplementalGroups.ranges ([]IDRange)
ranges are the allowed ranges of supplemental groups. If you would like to force a single supplemental group then supply a single range with the same start and end. Required for MustRunAs.
IDRange provides a min/max of an allowed range of IDs.
-
supplementalGroups.ranges.max (int64), required
max is the end of the range, inclusive.
-
supplementalGroups.ranges.min (int64), required
min is the start of the range, inclusive.
-
-
supplementalGroups.rule (string)
rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
-
-
seLinux (SELinuxStrategyOptions), required
seLinux is the strategy that will dictate the allowable labels that may be set.
SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
-
seLinux.rule (string), required
rule is the strategy that will dictate the allowable labels that may be set.
-
seLinux.seLinuxOptions (SELinuxOptions)
seLinuxOptions required to run as; required for MustRunAs More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
SELinuxOptions are the labels to be applied to the container
-
seLinux.seLinuxOptions.level (string)
Level is SELinux level label that applies to the container.
-
seLinux.seLinuxOptions.role (string)
Role is a SELinux role label that applies to the container.
-
seLinux.seLinuxOptions.type (string)
Type is a SELinux type label that applies to the container.
-
seLinux.seLinuxOptions.user (string)
User is a SELinux user label that applies to the container.
-
-
-
readOnlyRootFilesystem (boolean)
readOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the PSP should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to.
-
privileged (boolean)
privileged determines if a pod can request to be run as privileged.
-
allowPrivilegeEscalation (boolean)
allowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true.
-
defaultAllowPrivilegeEscalation (boolean)
defaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process.
-
allowedCSIDrivers ([]AllowedCSIDriver)
AllowedCSIDrivers is an allowlist of inline CSI drivers that must be explicitly set to be embedded within a pod spec. An empty value indicates that any CSI driver can be used for inline ephemeral volumes. This is a beta field, and is only honored if the API server enables the CSIInlineVolume feature gate.
AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.
-
allowedCSIDrivers.name (string), required
Name is the registered name of the CSI driver
-
-
allowedCapabilities ([]string)
allowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field may be added at the pod author's discretion. You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
-
requiredDropCapabilities ([]string)
requiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added.
-
defaultAddCapabilities ([]string)
defaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capability in both defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly allowed, and need not be included in the allowedCapabilities list.
-
allowedFlexVolumes ([]AllowedFlexVolume)
allowedFlexVolumes is an allowlist of Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "volumes" field.
AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
-
allowedFlexVolumes.driver (string), required
driver is the name of the Flexvolume driver.
-
-
allowedHostPaths ([]AllowedHostPath)
allowedHostPaths is an allowlist of host paths. Empty indicates that all host paths may be used.
AllowedHostPath defines the host volume conditions that will be enabled by a policy for pods to use. It requires the path prefix to be defined.
-
allowedHostPaths.pathPrefix (string)
pathPrefix is the path prefix that the host volume must match. It does not support
*
. Trailing slashes are trimmed when validating the path prefix with a host path.Examples:
/foo
would allow/foo
,/foo/
and/foo/bar
/foo
would not allow/food
or/etc/foo
-
allowedHostPaths.readOnly (boolean)
when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
-
-
allowedProcMountTypes ([]string)
AllowedProcMountTypes is an allowlist of allowed ProcMountTypes. Empty or nil indicates that only the DefaultProcMountType may be used. This requires the ProcMountType feature flag to be enabled.
-
allowedUnsafeSysctls ([]string)
allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to allowlist all allowed unsafe sysctls explicitly to avoid rejection.
Examples: e.g. "foo/" allows "foo/bar", "foo/baz", etc. e.g. "foo." allows "foo.bar", "foo.baz", etc.
-
forbiddenSysctls ([]string)
forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "*" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
Examples: e.g. "foo/" forbids "foo/bar", "foo/baz", etc. e.g. "foo." forbids "foo.bar", "foo.baz", etc.
-
hostIPC (boolean)
hostIPC determines if the policy allows the use of HostIPC in the pod spec.
-
hostNetwork (boolean)
hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
-
hostPID (boolean)
hostPID determines if the policy allows the use of HostPID in the pod spec.
-
hostPorts ([]HostPortRange)
hostPorts determines which host port ranges are allowed to be exposed.
HostPortRange defines a range of host ports that will be enabled by a policy for pods to use. It requires both the start and end to be defined.
-
hostPorts.max (int32), required
max is the end of the range, inclusive.
-
hostPorts.min (int32), required
min is the start of the range, inclusive.
-
-
runtimeClass (RuntimeClassStrategyOptions)
runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod. If this field is omitted, the pod's runtimeClassName field is unrestricted. Enforcement of this field depends on the RuntimeClass feature gate being enabled.
RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses for a pod.
-
runtimeClass.allowedRuntimeClassNames ([]string), required
allowedRuntimeClassNames is an allowlist of RuntimeClass names that may be specified on a pod. A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the list. An empty list requires the RuntimeClassName field to be unset.
-
runtimeClass.defaultRuntimeClassName (string)
defaultRuntimeClassName is the default RuntimeClassName to set on the pod. The default MUST be allowed by the allowedRuntimeClassNames list. A value of nil does not mutate the Pod.
-
-
volumes ([]string)
volumes is an allowlist of volume plugins. Empty indicates that no volumes may be used. To allow all volumes you may use '*'.
PodSecurityPolicyList
PodSecurityPolicyList is a list of PodSecurityPolicy objects.
-
apiVersion: policy/v1beta1
-
kind: PodSecurityPolicyList
-
metadata (ListMeta)
Standard list metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
-
items ([]PodSecurityPolicy), required
items is a list of schema objects.
Operations
get
read the specified PodSecurityPolicy
HTTP Request
GET /apis/policy/v1beta1/podsecuritypolicies/{name}
Parameters
-
name (in path): string, required
name of the PodSecurityPolicy
-
pretty (in query): string
Response
200 (PodSecurityPolicy): OK
401: Unauthorized
list
list or watch objects of kind PodSecurityPolicy
HTTP Request
GET /apis/policy/v1beta1/podsecuritypolicies
Parameters
-
allowWatchBookmarks (in query): boolean
-
continue (in query): string
-
fieldSelector (in query): string
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
-
watch (in query): boolean
Response
200 (PodSecurityPolicyList): OK
401: Unauthorized
create
create a PodSecurityPolicy
HTTP Request
POST /apis/policy/v1beta1/podsecuritypolicies
Parameters
-
body: PodSecurityPolicy, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (PodSecurityPolicy): OK
201 (PodSecurityPolicy): Created
202 (PodSecurityPolicy): Accepted
401: Unauthorized
update
replace the specified PodSecurityPolicy
HTTP Request
PUT /apis/policy/v1beta1/podsecuritypolicies/{name}
Parameters
-
name (in path): string, required
name of the PodSecurityPolicy
-
body: PodSecurityPolicy, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
pretty (in query): string
Response
200 (PodSecurityPolicy): OK
201 (PodSecurityPolicy): Created
401: Unauthorized
patch
partially update the specified PodSecurityPolicy
HTTP Request
PATCH /apis/policy/v1beta1/podsecuritypolicies/{name}
Parameters
-
name (in path): string, required
name of the PodSecurityPolicy
-
body: Patch, required
-
dryRun (in query): string
-
fieldManager (in query): string
-
force (in query): boolean
-
pretty (in query): string
Response
200 (PodSecurityPolicy): OK
201 (PodSecurityPolicy): Created
401: Unauthorized
delete
delete a PodSecurityPolicy
HTTP Request
DELETE /apis/policy/v1beta1/podsecuritypolicies/{name}
Parameters
-
name (in path): string, required
name of the PodSecurityPolicy
-
body: DeleteOptions
-
dryRun (in query): string
-
gracePeriodSeconds (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
Response
200 (PodSecurityPolicy): OK
202 (PodSecurityPolicy): Accepted
401: Unauthorized
deletecollection
delete collection of PodSecurityPolicy
HTTP Request
DELETE /apis/policy/v1beta1/podsecuritypolicies
Parameters
-
body: DeleteOptions
-
continue (in query): string
-
dryRun (in query): string
-
fieldSelector (in query): string
-
gracePeriodSeconds (in query): integer
-
labelSelector (in query): string
-
limit (in query): integer
-
pretty (in query): string
-
propagationPolicy (in query): string
-
resourceVersion (in query): string
-
resourceVersionMatch (in query): string
-
timeoutSeconds (in query): integer
Response
200 (Status): OK
401: Unauthorized