package kubecaml

  1. Overview
  2. Docs
package kubecaml
Legend:
Library
Module
Module type
Parameter
Class
Class type

Security_context holds security configuration that will be applied to a container. Some fields are present in both Security_context and Pod_security_context. When both are set, the values in Security_context take precedence.

type t
val to_yojson : t -> Yojson.Safe.t
val make : ?se_linux_options:Kubernetes.Definitions.Api.Core.V1.Se_linux_options.t -> ?run_as_user:int -> ?run_as_non_root:bool -> ?run_as_group:int -> ?read_only_root_filesystem:bool -> ?privileged:bool -> ?capabilities:Kubernetes.Definitions.Api.Core.V1.Capabilities.t -> ?allow_privilege_escalation:bool -> unit -> t
val allow_privilege_escalation : t -> bool option

Allow_privilege_escalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. Allow_privilege_escalation is true always when the container is: 1) run as Privileged 2) has Cap_sys_admin

The capabilities to add/drop when running containers. Defaults to the default set of capabilities granted by the container runtime.

val privileged : t -> bool option

Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false.

val read_only_root_filesystem : t -> bool option

Whether this container has a read_only root filesystem. Default is false.

val run_as_group : t -> int option

The Gid to run the entrypoint of the container process. Uses runtime default if unset. May also be set in Pod_security_context. If set in both Security_context and Pod_security_context, the value specified in Security_context takes precedence.

val run_as_non_root : t -> bool option

Indicates that the container must run as a non_root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as Uid 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in Pod_security_context. If set in both Security_context and Pod_security_context, the value specified in Security_context takes precedence.

val run_as_user : t -> int option

The Uid to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in Pod_security_context. If set in both Security_context and Pod_security_context, the value specified in Security_context takes precedence.

The Se_linux context to be applied to the container. If unspecified, the container runtime will allocate a random Se_linux context for each container. May also be set in Pod_security_context. If set in both Security_context and Pod_security_context, the value specified in Security_context takes precedence.

module Object : Object.S with type value := t
OCaml

Innovation. Community. Security.

GitHub Discord Twitter Peertube RSS
About
Changelog Releases Industrial Users Academic Users Why OCaml
Ecosystem
Packages Community Events Blog Jobs
Resources
Install OCaml Get Started Platform Tools Language Manual Standard Library API Books Exercises Papers OCaml Playground Logo
Policies
Carbon Footprint Governance Privacy Code of Conduct