Coverage for ocp_resources/security_context_constraints.py: 0%

88 statements  

« prev     ^ index     » next       coverage.py v7.6.10, created at 2025-01-30 10:48 +0200

1# Generated using https://github.com/RedHatQE/openshift-python-wrapper/blob/main/scripts/resource/README.md 

2 

3from typing import Any, Optional 

4from ocp_resources.resource import Resource, MissingRequiredArgumentError 

5 

6 

7class SecurityContextConstraints(Resource): 

8 """ 

9 SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints. 

10 Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). 

11 """ 

12 

13 api_group: str = Resource.ApiGroup.SECURITY_OPENSHIFT_IO 

14 

15 def __init__( 

16 self, 

17 allow_host_dir_volume_plugin: Optional[bool] = None, 

18 allow_host_ipc: Optional[bool] = None, 

19 allow_host_network: Optional[bool] = None, 

20 allow_host_pid: Optional[bool] = None, 

21 allow_host_ports: Optional[bool] = None, 

22 allow_privilege_escalation: Optional[Any] = None, 

23 allow_privileged_container: Optional[bool] = None, 

24 allowed_capabilities: Optional[Any] = None, 

25 allowed_flex_volumes: Optional[Any] = None, 

26 allowed_unsafe_sysctls: Optional[Any] = None, 

27 default_add_capabilities: Optional[Any] = None, 

28 default_allow_privilege_escalation: Optional[Any] = None, 

29 forbidden_sysctls: Optional[Any] = None, 

30 fs_group: Optional[Any] = None, 

31 groups: Optional[Any] = None, 

32 priority: Optional[Any] = None, 

33 read_only_root_filesystem: Optional[bool] = None, 

34 required_drop_capabilities: Optional[Any] = None, 

35 run_as_user: Optional[Any] = None, 

36 se_linux_context: Optional[Any] = None, 

37 seccomp_profiles: Optional[Any] = None, 

38 supplemental_groups: Optional[Any] = None, 

39 users: Optional[Any] = None, 

40 volumes: Optional[Any] = None, 

41 **kwargs: Any, 

42 ) -> None: 

43 """ 

44 Args: 

45 allow_host_dir_volume_plugin (bool): AllowHostDirVolumePlugin determines if the policy allow containers to 

46 use the HostDir volume plugin 

47 

48 allow_host_ipc (bool): AllowHostIPC determines if the policy allows host ipc in the 

49 containers. 

50 

51 allow_host_network (bool): AllowHostNetwork determines if the policy allows the use of 

52 HostNetwork in the pod spec. 

53 

54 allow_host_pid (bool): AllowHostPID determines if the policy allows host pid in the 

55 containers. 

56 

57 allow_host_ports (bool): AllowHostPorts determines if the policy allows host ports in the 

58 containers. 

59 

60 allow_privilege_escalation (Any): AllowPrivilegeEscalation determines if a pod can request to allow 

61 privilege escalation. If unspecified, defaults to true. 

62 

63 allow_privileged_container (bool): AllowPrivilegedContainer determines if a container can request to be 

64 run as privileged. 

65 

66 allowed_capabilities (Any): AllowedCapabilities is a list of capabilities that can be requested to 

67 add to the container. Capabilities in this field maybe added at 

68 the pod author's discretion. You must not list a capability in 

69 both AllowedCapabilities and RequiredDropCapabilities. To allow 

70 all capabilities you may use '*'. 

71 

72 allowed_flex_volumes (Any): AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or 

73 nil indicates that all Flexvolumes may be used. This parameter is 

74 effective only when the usage of the Flexvolumes is allowed in the 

75 "Volumes" field. 

76 

77 allowed_unsafe_sysctls (Any): AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, 

78 defaults to none. Each entry is either a plain sysctl name or ends 

79 in "*" in which case it is considered as a prefix of allowed 

80 sysctls. Single * means all unsafe sysctls are allowed. Kubelet 

81 has to whitelist all allowed unsafe sysctls explicitly to avoid 

82 rejection. Examples: e.g. "foo/*" allows "foo/bar", "foo/baz", 

83 etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc. 

84 

85 default_add_capabilities (Any): DefaultAddCapabilities is the default set of capabilities that will be 

86 added to the container unless the pod spec specifically drops the 

87 capability. You may not list a capabiility in both 

88 DefaultAddCapabilities and RequiredDropCapabilities. 

89 

90 default_allow_privilege_escalation (Any): DefaultAllowPrivilegeEscalation controls the default setting for 

91 whether a process can gain more privileges than its parent 

92 process. 

93 

94 forbidden_sysctls (Any): ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults 

95 to none. Each entry is either a plain sysctl name or ends in "*" 

96 in which case it is considered as a prefix of forbidden sysctls. 

97 Single * means all sysctls are forbidden. Examples: e.g. "foo/*" 

98 forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", 

99 "foo.baz", etc. 

100 

101 fs_group (Any): FSGroup is the strategy that will dictate what fs group is used by the 

102 SecurityContext. 

103 

104 groups (Any): The groups that have permission to use this security context 

105 constraints 

106 

107 priority (Any): Priority influences the sort order of SCCs when evaluating which SCCs 

108 to try first for a given pod request based on access in the Users 

109 and Groups fields. The higher the int, the higher priority. An 

110 unset value is considered a 0 priority. If scores for multiple 

111 SCCs are equal they will be sorted from most restrictive to least 

112 restrictive. If both priorities and restrictions are equal the 

113 SCCs will be sorted by name. 

114 

115 read_only_root_filesystem (bool): ReadOnlyRootFilesystem when set to true will force containers to run 

116 with a read only root file system. If the container specifically 

117 requests to run with a non-read only root file system the SCC 

118 should deny the pod. If set to false the container may run with a 

119 read only root file system if it wishes but it will not be forced 

120 to. 

121 

122 required_drop_capabilities (Any): RequiredDropCapabilities are the capabilities that will be dropped 

123 from the container. These are required to be dropped and cannot 

124 be added. 

125 

126 run_as_user (Any): RunAsUser is the strategy that will dictate what RunAsUser is used in 

127 the SecurityContext. 

128 

129 se_linux_context (Any): SELinuxContext is the strategy that will dictate what labels will be 

130 set in the SecurityContext. 

131 

132 seccomp_profiles (Any): SeccompProfiles lists the allowed profiles that may be set for the pod 

133 or container's seccomp annotations. An unset (nil) or empty value 

134 means that no profiles may be specifid by the pod or container. 

135 The wildcard '*' may be used to allow all profiles. When used to 

136 generate a value for a pod the first non-wildcard profile will be 

137 used as the default. 

138 

139 supplemental_groups (Any): SupplementalGroups is the strategy that will dictate what supplemental 

140 groups are used by the SecurityContext. 

141 

142 users (Any): The users who have permissions to use this security context 

143 constraints 

144 

145 volumes (Any): Volumes is a white list of allowed volume plugins. FSType corresponds 

146 directly with the field names of a VolumeSource (azureFile, 

147 configMap, emptyDir). To allow all volumes you may use "*". To 

148 allow no volumes, set to ["none"]. 

149 

150 """ 

151 super().__init__(**kwargs) 

152 

153 self.allow_host_dir_volume_plugin = allow_host_dir_volume_plugin 

154 self.allow_host_ipc = allow_host_ipc 

155 self.allow_host_network = allow_host_network 

156 self.allow_host_pid = allow_host_pid 

157 self.allow_host_ports = allow_host_ports 

158 self.allow_privilege_escalation = allow_privilege_escalation 

159 self.allow_privileged_container = allow_privileged_container 

160 self.allowed_capabilities = allowed_capabilities 

161 self.allowed_flex_volumes = allowed_flex_volumes 

162 self.allowed_unsafe_sysctls = allowed_unsafe_sysctls 

163 self.default_add_capabilities = default_add_capabilities 

164 self.default_allow_privilege_escalation = default_allow_privilege_escalation 

165 self.forbidden_sysctls = forbidden_sysctls 

166 self.fs_group = fs_group 

167 self.groups = groups 

168 self.priority = priority 

169 self.read_only_root_filesystem = read_only_root_filesystem 

170 self.required_drop_capabilities = required_drop_capabilities 

171 self.run_as_user = run_as_user 

172 self.se_linux_context = se_linux_context 

173 self.seccomp_profiles = seccomp_profiles 

174 self.supplemental_groups = supplemental_groups 

175 self.users = users 

176 self.volumes = volumes 

177 

178 def to_dict(self) -> None: 

179 super().to_dict() 

180 

181 if not self.kind_dict and not self.yaml_file: 

182 if not self.allow_host_dir_volume_plugin: 

183 raise MissingRequiredArgumentError(argument="self.allow_host_dir_volume_plugin") 

184 

185 if not self.allow_host_ipc: 

186 raise MissingRequiredArgumentError(argument="self.allow_host_ipc") 

187 

188 if not self.allow_host_network: 

189 raise MissingRequiredArgumentError(argument="self.allow_host_network") 

190 

191 if not self.allow_host_pid: 

192 raise MissingRequiredArgumentError(argument="self.allow_host_pid") 

193 

194 if not self.allow_host_ports: 

195 raise MissingRequiredArgumentError(argument="self.allow_host_ports") 

196 

197 if not self.allow_privileged_container: 

198 raise MissingRequiredArgumentError(argument="self.allow_privileged_container") 

199 

200 if not self.read_only_root_filesystem: 

201 raise MissingRequiredArgumentError(argument="self.read_only_root_filesystem") 

202 

203 self.res["allowHostDirVolumePlugin"] = self.allow_host_dir_volume_plugin 

204 self.res["allowHostIPC"] = self.allow_host_ipc 

205 self.res["allowHostNetwork"] = self.allow_host_network 

206 self.res["allowHostPID"] = self.allow_host_pid 

207 self.res["allowHostPorts"] = self.allow_host_ports 

208 self.res["allowPrivilegedContainer"] = self.allow_privileged_container 

209 self.res["readOnlyRootFilesystem"] = self.read_only_root_filesystem 

210 

211 if self.allow_privilege_escalation: 

212 self.res["allowPrivilegeEscalation"] = self.allow_privilege_escalation 

213 

214 if self.allowed_capabilities: 

215 self.res["allowedCapabilities"] = self.allowed_capabilities 

216 

217 if self.allowed_flex_volumes: 

218 self.res["allowedFlexVolumes"] = self.allowed_flex_volumes 

219 

220 if self.allowed_unsafe_sysctls: 

221 self.res["allowedUnsafeSysctls"] = self.allowed_unsafe_sysctls 

222 

223 if self.default_add_capabilities: 

224 self.res["defaultAddCapabilities"] = self.default_add_capabilities 

225 

226 if self.default_allow_privilege_escalation: 

227 self.res["defaultAllowPrivilegeEscalation"] = self.default_allow_privilege_escalation 

228 

229 if self.forbidden_sysctls: 

230 self.res["forbiddenSysctls"] = self.forbidden_sysctls 

231 

232 if self.fs_group: 

233 self.res["fsGroup"] = self.fs_group 

234 

235 if self.groups: 

236 self.res["groups"] = self.groups 

237 

238 if self.priority: 

239 self.res["priority"] = self.priority 

240 

241 if self.required_drop_capabilities: 

242 self.res["requiredDropCapabilities"] = self.required_drop_capabilities 

243 

244 if self.run_as_user: 

245 self.res["runAsUser"] = self.run_as_user 

246 

247 if self.se_linux_context: 

248 self.res["seLinuxContext"] = self.se_linux_context 

249 

250 if self.seccomp_profiles: 

251 self.res["seccompProfiles"] = self.seccomp_profiles 

252 

253 if self.supplemental_groups: 

254 self.res["supplementalGroups"] = self.supplemental_groups 

255 

256 if self.users: 

257 self.res["users"] = self.users 

258 

259 if self.volumes: 

260 self.res["volumes"] = self.volumes 

261 

262 # End of generated code