我的书签
添加书签
移除书签v1.PodSecurityPolicyReview
Description
PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the PodTemplateSpec in question.
Object Schema
Expand or mouse-over a field for more information about it.
apiVersion:kind:spec:serviceAccountNames:- [string]:template:metadata:annotations:[string]:clusterName:creationTimestamp:deletionGracePeriodSeconds:deletionTimestamp:finalizers:- [string]:generateName:generation:initializers:pending:- name:result:apiVersion:code:details:causes:- field:message:reason:group:kind:name:retryAfterSeconds:uid:kind:message:metadata:resourceVersion:selfLink:reason:status:labels:[string]:name:namespace:ownerReferences:- apiVersion:blockOwnerDeletion:controller:kind:name:uid:resourceVersion:selfLink:uid:spec:activeDeadlineSeconds:affinity:nodeAffinity:preferredDuringSchedulingIgnoredDuringExecution:- preference:- matchExpressions:- - key:operator:values:- [string]:weight:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- - key:operator:values:- [string]:podAffinity:preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:automountServiceAccountToken:containers:- args:- - [string]:command:- [string]:env:- name:value:valueFrom:configMapKeyRef:key:name:optional:fieldRef:apiVersion:fieldPath:resourceFieldRef:containerName:divisor:resource:secretKeyRef:key:name:optional:envFrom:- configMapRef:- name:optional:prefix:secretRef:name:optional:image:imagePullPolicy:lifecycle:postStart:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:preStop:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:livenessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:name:ports:- containerPort:hostIP:hostPort:name:protocol:readinessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:resources:limits:[string]:requests:[string]:securityContext:capabilities:add:- [string]:drop:- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeMounts:- mountPath:name:readOnly:subPath:workingDir:dnsPolicy:hostAliases:- hostnames:- - [string]:ip:hostIPC:hostNetwork:hostPID:hostname:imagePullSecrets:- name:initContainers:- args:- - [string]:command:- [string]:env:- name:value:valueFrom:configMapKeyRef:key:name:optional:fieldRef:apiVersion:fieldPath:resourceFieldRef:containerName:divisor:resource:secretKeyRef:key:name:optional:envFrom:- configMapRef:- name:optional:prefix:secretRef:name:optional:image:imagePullPolicy:lifecycle:postStart:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:preStop:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:livenessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:name:ports:- containerPort:hostIP:hostPort:name:protocol:readinessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:resources:limits:[string]:requests:[string]:securityContext:capabilities:add:- [string]:drop:- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeMounts:- mountPath:name:readOnly:subPath:workingDir:nodeName:nodeSelector:[string]:restartPolicy:schedulerName:securityContext:fsGroup:runAsNonRoot:runAsUser:seLinuxOptions:level:role:type:user:supplementalGroups:- [integer]:serviceAccount:serviceAccountName:subdomain:terminationGracePeriodSeconds:tolerations:- effect:key:operator:tolerationSeconds:value:volumes:- awsElasticBlockStore:- fsType:partition:readOnly:volumeID:azureDisk:cachingMode:diskName:diskURI:fsType:kind:readOnly:azureFile:readOnly:secretName:shareName:cephfs:monitors:- [string]:path:readOnly:secretFile:secretRef:name:user:cinder:fsType:readOnly:volumeID:configMap:defaultMode:items:- key:mode:path:name:optional:downwardAPI:defaultMode:items:- fieldRef:- apiVersion:fieldPath:mode:path:resourceFieldRef:containerName:divisor:resource:emptyDir:medium:sizeLimit:fc:fsType:lun:readOnly:targetWWNs:- [string]:flexVolume:driver:fsType:options:[string]:readOnly:secretRef:name:flocker:datasetName:datasetUUID:gcePersistentDisk:fsType:partition:pdName:readOnly:glusterfs:endpoints:path:readOnly:hostPath:path:iscsi:chapAuthDiscovery:chapAuthSession:fsType:iqn:iscsiInterface:lun:portals:- [string]:readOnly:secretRef:name:targetPortal:name:nfs:path:readOnly:server:persistentVolumeClaim:claimName:readOnly:photonPersistentDisk:fsType:pdID:portworxVolume:fsType:readOnly:volumeID:projected:defaultMode:sources:- configMap:- items:- - key:mode:path:name:optional:downwardAPI:items:- fieldRef:- apiVersion:fieldPath:mode:path:resourceFieldRef:containerName:divisor:resource:secret:items:- key:mode:path:name:optional:quobyte:group:readOnly:registry:user:volume:rbd:fsType:image:keyring:monitors:- [string]:pool:readOnly:secretRef:name:user:scaleIO:fsType:gateway:protectionDomain:readOnly:secretRef:name:sslEnabled:storageMode:storagePool:system:volumeName:secret:defaultMode:items:- key:mode:path:optional:secretName:storageos:fsType:readOnly:secretRef:name:volumeName:volumeNamespace:vsphereVolume:fsType:storagePolicyID:storagePolicyName:volumePath:status:allowedServiceAccounts:- allowedBy:- apiVersion:fieldPath:kind:name:namespace:resourceVersion:uid:name:reason:template:metadata:annotations:[string]:clusterName:creationTimestamp:deletionGracePeriodSeconds:deletionTimestamp:finalizers:- [string]:generateName:generation:initializers:pending:- name:result:apiVersion:code:details:causes:- field:message:reason:group:kind:name:retryAfterSeconds:uid:kind:message:metadata:resourceVersion:selfLink:reason:status:labels:[string]:name:namespace:ownerReferences:- apiVersion:blockOwnerDeletion:controller:kind:name:uid:resourceVersion:selfLink:uid:spec:activeDeadlineSeconds:affinity:nodeAffinity:preferredDuringSchedulingIgnoredDuringExecution:- preference:- matchExpressions:- - key:operator:values:- [string]:weight:requiredDuringSchedulingIgnoredDuringExecution:nodeSelectorTerms:- matchExpressions:- - key:operator:values:- [string]:podAffinity:preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:- labelSelector:- matchExpressions:- - key:operator:values:- [string]:matchLabels:[string]:namespaces:- [string]:topologyKey:automountServiceAccountToken:containers:- args:- - [string]:command:- [string]:env:- name:value:valueFrom:configMapKeyRef:key:name:optional:fieldRef:apiVersion:fieldPath:resourceFieldRef:containerName:divisor:resource:secretKeyRef:key:name:optional:envFrom:- configMapRef:- name:optional:prefix:secretRef:name:optional:image:imagePullPolicy:lifecycle:postStart:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:preStop:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:livenessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:name:ports:- containerPort:hostIP:hostPort:name:protocol:readinessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:resources:limits:[string]:requests:[string]:securityContext:capabilities:add:- [string]:drop:- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeMounts:- mountPath:name:readOnly:subPath:workingDir:dnsPolicy:hostAliases:- hostnames:- - [string]:ip:hostIPC:hostNetwork:hostPID:hostname:imagePullSecrets:- name:initContainers:- args:- - [string]:command:- [string]:env:- name:value:valueFrom:configMapKeyRef:key:name:optional:fieldRef:apiVersion:fieldPath:resourceFieldRef:containerName:divisor:resource:secretKeyRef:key:name:optional:envFrom:- configMapRef:- name:optional:prefix:secretRef:name:optional:image:imagePullPolicy:lifecycle:postStart:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:preStop:exec:command:- [string]:httpGet:host:httpHeaders:- name:value:path:port:scheme:tcpSocket:host:port:livenessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:name:ports:- containerPort:hostIP:hostPort:name:protocol:readinessProbe:exec:command:- [string]:failureThreshold:httpGet:host:httpHeaders:- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:host:port:timeoutSeconds:resources:limits:[string]:requests:[string]:securityContext:capabilities:add:- [string]:drop:- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeMounts:- mountPath:name:readOnly:subPath:workingDir:nodeName:nodeSelector:[string]:restartPolicy:schedulerName:securityContext:fsGroup:runAsNonRoot:runAsUser:seLinuxOptions:level:role:type:user:supplementalGroups:- [integer]:serviceAccount:serviceAccountName:subdomain:terminationGracePeriodSeconds:tolerations:- effect:key:operator:tolerationSeconds:value:volumes:- awsElasticBlockStore:- fsType:partition:readOnly:volumeID:azureDisk:cachingMode:diskName:diskURI:fsType:kind:readOnly:azureFile:readOnly:secretName:shareName:cephfs:monitors:- [string]:path:readOnly:secretFile:secretRef:name:user:cinder:fsType:readOnly:volumeID:configMap:defaultMode:items:- key:mode:path:name:optional:downwardAPI:defaultMode:items:- fieldRef:- apiVersion:fieldPath:mode:path:resourceFieldRef:containerName:divisor:resource:emptyDir:medium:sizeLimit:fc:fsType:lun:readOnly:targetWWNs:- [string]:flexVolume:driver:fsType:options:[string]:readOnly:secretRef:name:flocker:datasetName:datasetUUID:gcePersistentDisk:fsType:partition:pdName:readOnly:glusterfs:endpoints:path:readOnly:hostPath:path:iscsi:chapAuthDiscovery:chapAuthSession:fsType:iqn:iscsiInterface:lun:portals:- [string]:readOnly:secretRef:name:targetPortal:name:nfs:path:readOnly:server:persistentVolumeClaim:claimName:readOnly:photonPersistentDisk:fsType:pdID:portworxVolume:fsType:readOnly:volumeID:projected:defaultMode:sources:- configMap:- items:- - key:mode:path:name:optional:downwardAPI:items:- fieldRef:- apiVersion:fieldPath:mode:path:resourceFieldRef:containerName:divisor:resource:secret:items:- key:mode:path:name:optional:quobyte:group:readOnly:registry:user:volume:rbd:fsType:image:keyring:monitors:- [string]:pool:readOnly:secretRef:name:user:scaleIO:fsType:gateway:protectionDomain:readOnly:secretRef:name:sslEnabled:storageMode:storagePool:system:volumeName:secret:defaultMode:items:- key:mode:path:optional:secretName:storageos:fsType:readOnly:secretRef:name:volumeName:volumeNamespace:vsphereVolume:fsType:storagePolicyID:storagePolicyName:volumePath:
Operations
Create a PodSecurityPolicyReview
Create a PodSecurityPolicyReview
HTTP request
POST /apis/security.openshift.io/v1/podsecuritypolicyreviews HTTP/1.1Authorization: Bearer $TOKENAccept: application/jsonConnection: closeContent-Type: application/json'{"kind": "PodSecurityPolicyReview","apiVersion": "security.openshift.io/v1",...}
Curl request
$ curl -k \-X POST \-d @- \-H "Authorization: Bearer $TOKEN" \-H 'Accept: application/json' \-H 'Content-Type: application/json' \https://$ENDPOINT/apis/security.openshift.io/v1/podsecuritypolicyreviews <<'EOF'{"kind": "PodSecurityPolicyReview","apiVersion": "security.openshift.io/v1",...}EOF
HTTP body
| Parameter | Schema |
|---|---|
body | v1.PodSecurityPolicyReview |
Query parameters
| Parameter | Description |
|---|---|
pretty | If ‘true’, then the output is pretty printed. |
Responses
| HTTP Code | Schema |
|---|---|
200 OK | v1.PodSecurityPolicyReview |
401 Unauthorized |
Consumes
- */*
Produces
application/json
application/yaml
application/vnd.kubernetes.protobuf
Create a PodSecurityPolicyReview in a namespace
Create a PodSecurityPolicyReview
HTTP request
POST /apis/security.openshift.io/v1/namespaces/$NAMESPACE/podsecuritypolicyreviews HTTP/1.1Authorization: Bearer $TOKENAccept: application/jsonConnection: closeContent-Type: application/json'{"kind": "PodSecurityPolicyReview","apiVersion": "security.openshift.io/v1",...}
Curl request
$ curl -k \-X POST \-d @- \-H "Authorization: Bearer $TOKEN" \-H 'Accept: application/json' \-H 'Content-Type: application/json' \https://$ENDPOINT/apis/security.openshift.io/v1/namespaces/$NAMESPACE/podsecuritypolicyreviews <<'EOF'{"kind": "PodSecurityPolicyReview","apiVersion": "security.openshift.io/v1",...}EOF
HTTP body
| Parameter | Schema |
|---|---|
body | v1.PodSecurityPolicyReview |
Path parameters
| Parameter | Description |
|---|---|
namespace | object name and auth scope, such as for teams and projects |
Query parameters
| Parameter | Description |
|---|---|
pretty | If ‘true’, then the output is pretty printed. |
Responses
| HTTP Code | Schema |
|---|---|
200 OK | v1.PodSecurityPolicyReview |
401 Unauthorized |
Consumes
- */*
Produces
application/json
application/yaml
application/vnd.kubernetes.protobuf
