Security APIs
Reference guide for security APIs
Abstract
Chapter 1. Security APIs
1.1. CertificateSigningRequest [certificates.k8s.io/v1]
- Description
CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
Kubelets use this API to obtain: 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers.
- Type
-
object
1.2. CredentialsRequest [cloudcredential.openshift.io/v1]
- Description
- CredentialsRequest is the Schema for the credentialsrequests API
- Type
-
object
1.3. PodSecurityPolicyReview [security.openshift.io/v1]
- Description
PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the
PodTemplateSpec
in question.Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
- Type
-
object
1.4. PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- Description
PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
- Type
-
object
1.5. PodSecurityPolicySubjectReview [security.openshift.io/v1]
- Description
PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
- Type
-
object
1.6. RangeAllocation [security.openshift.io/v1]
- Description
RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
- Type
-
object
1.7. Secret [v1]
- Description
- Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.
- Type
-
object
1.8. SecurityContextConstraints [security.openshift.io/v1]
- Description
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- Type
-
object
1.9. ServiceAccount [v1]
- Description
- ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets
- Type
-
object
Chapter 2. CertificateSigningRequest [certificates.k8s.io/v1]
- Description
CertificateSigningRequest objects provide a mechanism to obtain x509 certificates by submitting a certificate signing request, and having it asynchronously approved and issued.
Kubelets use this API to obtain: 1. client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client-kubelet" signerName). 2. serving certificates for TLS endpoints kube-apiserver can connect to securely (with the "kubernetes.io/kubelet-serving" signerName).
This API can be used to request client certificates to authenticate to kube-apiserver (with the "kubernetes.io/kube-apiserver-client" signerName), or to obtain certificates from custom non-Kubernetes signers.
- Type
-
object
- Required
-
spec
-
2.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| ||
|
| CertificateSigningRequestSpec contains the certificate request. |
|
| CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate. |
2.1.1. .spec
- Description
- CertificateSigningRequestSpec contains the certificate request.
- Type
-
object
- Required
-
request
-
signerName
-
Property | Type | Description |
---|---|---|
|
| expirationSeconds is the requested duration of validity of the issued certificate. The certificate signer may issue a certificate with a different validity duration so a client must check the delta between the notBefore and and notAfter fields in the issued certificate to determine the actual duration. The v1.22+ in-tree implementations of the well-known Kubernetes signers will honor this field as long as the requested duration is not greater than the maximum duration they will honor per the --cluster-signing-duration CLI flag to the Kubernetes controller manager. Certificate signers may not honor this field for various reasons: 1. Old signer that is unaware of the field (such as the in-tree implementations prior to v1.22) 2. Signer whose configured maximum is shorter than the requested duration 3. Signer whose configured minimum is longer than the requested duration The minimum valid value for expirationSeconds is 600, i.e. 10 minutes. |
|
| extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
|
| |
|
| groups contains group membership of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
|
| request contains an x509 certificate signing request encoded in a "CERTIFICATE REQUEST" PEM block. When serialized as JSON or YAML, the data is additionally base64-encoded. |
|
| signerName indicates the requested signer, and is a qualified name. List/watch requests for CertificateSigningRequests can filter on this field using a "spec.signerName=NAME" fieldSelector. Well-known Kubernetes signers are: 1. "kubernetes.io/kube-apiserver-client": issues client certificates that can be used to authenticate to kube-apiserver. Requests for this signer are never auto-approved by kube-controller-manager, can be issued by the "csrsigning" controller in kube-controller-manager. 2. "kubernetes.io/kube-apiserver-client-kubelet": issues client certificates that kubelets use to authenticate to kube-apiserver. Requests for this signer can be auto-approved by the "csrapproving" controller in kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. 3. "kubernetes.io/kubelet-serving" issues serving certificates that kubelets use to serve TLS endpoints, which kube-apiserver can connect to securely. Requests for this signer are never auto-approved by kube-controller-manager, and can be issued by the "csrsigning" controller in kube-controller-manager. More details are available at https://k8s.io/docs/reference/access-authn-authz/certificate-signing-requests/#kubernetes-signers Custom signerNames can also be specified. The signer defines: 1. Trust distribution: how trust (CA bundles) are distributed. 2. Permitted subjects: and behavior when a disallowed subject is requested. 3. Required, permitted, or forbidden x509 extensions in the request (including whether subjectAltNames are allowed, which types, restrictions on allowed values) and behavior when a disallowed extension is requested. 4. Required, permitted, or forbidden key usages / extended key usages. 5. Expiration/certificate lifetime: whether it is fixed by the signer, configurable by the admin. 6. Whether or not requests for CA certificates are allowed. |
|
| uid contains the uid of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
|
| usages specifies a set of key usages requested in the issued certificate. Requests for TLS client certificates typically request: "digital signature", "key encipherment", "client auth". Requests for TLS serving certificates typically request: "key encipherment", "digital signature", "server auth". Valid values are: "signing", "digital signature", "content commitment", "key encipherment", "key agreement", "data encipherment", "cert sign", "crl sign", "encipher only", "decipher only", "any", "server auth", "client auth", "code signing", "email protection", "s/mime", "ipsec end system", "ipsec tunnel", "ipsec user", "timestamping", "ocsp signing", "microsoft sgc", "netscape sgc" |
|
| username contains the name of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable. |
2.1.2. .spec.extra
- Description
- extra contains extra attributes of the user that created the CertificateSigningRequest. Populated by the API server on creation and immutable.
- Type
-
object
2.1.3. .status
- Description
- CertificateSigningRequestStatus contains conditions used to indicate approved/denied/failed status of the request, and the issued certificate.
- Type
-
object
Property | Type | Description |
---|---|---|
|
| certificate is populated with an issued certificate by the signer after an Approved condition is present. This field is set via the /status subresource. Once populated, this field is immutable. If the certificate signing request is denied, a condition of type "Denied" is added and this field remains empty. If the signer cannot issue the certificate, a condition of type "Failed" is added and this field remains empty. Validation requirements: 1. certificate must contain one or more PEM blocks. 2. All PEM blocks must have the "CERTIFICATE" label, contain no headers, and the encoded data must be a BER-encoded ASN.1 Certificate structure as described in section 4 of RFC5280. 3. Non-PEM content may appear before or after the "CERTIFICATE" PEM blocks and is unvalidated, to allow for explanatory text as described in section 5.2 of RFC7468. If more than one PEM block is present, and the definition of the requested spec.signerName does not indicate otherwise, the first block is the issued certificate, and subsequent blocks should be treated as intermediate certificates and presented in TLS handshakes. The certificate is encoded in PEM format. When serialized as JSON or YAML, the data is additionally base64-encoded, so it consists of: base64( -----BEGIN CERTIFICATE----- … -----END CERTIFICATE----- ) |
|
| conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed". |
|
| CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object |
2.1.4. .status.conditions
- Description
- conditions applied to the request. Known conditions are "Approved", "Denied", and "Failed".
- Type
-
array
2.1.5. .status.conditions[]
- Description
- CertificateSigningRequestCondition describes a condition of a CertificateSigningRequest object
- Type
-
object
- Required
-
type
-
status
-
Property | Type | Description |
---|---|---|
| lastTransitionTime is the time the condition last transitioned from one status to another. If unset, when a new condition type is added or an existing condition’s status is changed, the server defaults this to the current time. | |
| lastUpdateTime is the time of the last update to this condition | |
|
| message contains a human readable message with details about the request state |
|
| reason indicates a brief reason for the request state |
|
| status of the condition, one of True, False, Unknown. Approved, Denied, and Failed conditions may not be "False" or "Unknown". |
|
| type of the condition. Known conditions are "Approved", "Denied", and "Failed". An "Approved" condition is added via the /approval subresource, indicating the request was approved and should be issued by the signer. A "Denied" condition is added via the /approval subresource, indicating the request was denied and should not be issued by the signer. A "Failed" condition is added via the /status subresource, indicating the signer failed to issue the certificate. Approved and Denied conditions are mutually exclusive. Approved, Denied, and Failed conditions cannot be removed once added. Only one condition of a given type is allowed. |
2.2. API endpoints
The following API endpoints are available:
/apis/certificates.k8s.io/v1/certificatesigningrequests
-
DELETE
: delete collection of CertificateSigningRequest -
GET
: list or watch objects of kind CertificateSigningRequest -
POST
: create a CertificateSigningRequest
-
/apis/certificates.k8s.io/v1/watch/certificatesigningrequests
-
GET
: watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.
-
/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
-
DELETE
: delete a CertificateSigningRequest -
GET
: read the specified CertificateSigningRequest -
PATCH
: partially update the specified CertificateSigningRequest -
PUT
: replace the specified CertificateSigningRequest
-
/apis/certificates.k8s.io/v1/watch/certificatesigningrequests/{name}
-
GET
: watch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
-
/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
-
GET
: read status of the specified CertificateSigningRequest -
PATCH
: partially update status of the specified CertificateSigningRequest -
PUT
: replace status of the specified CertificateSigningRequest
-
/apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
-
GET
: read approval of the specified CertificateSigningRequest -
PATCH
: partially update approval of the specified CertificateSigningRequest -
PUT
: replace approval of the specified CertificateSigningRequest
-
2.2.1. /apis/certificates.k8s.io/v1/certificatesigningrequests
- HTTP method
-
DELETE
- Description
- delete collection of CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list or watch objects of kind CertificateSigningRequest
HTTP code | Reponse body |
---|---|
200 - OK | |
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create a CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
2.2.2. /apis/certificates.k8s.io/v1/watch/certificatesigningrequests
- HTTP method
-
GET
- Description
- watch individual changes to a list of CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
2.2.3. /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the CertificateSigningRequest |
- HTTP method
-
DELETE
- Description
- delete a CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified CertificateSigningRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
2.2.4. /apis/certificates.k8s.io/v1/watch/certificatesigningrequests/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the CertificateSigningRequest |
- HTTP method
-
GET
- Description
- watch changes to an object of kind CertificateSigningRequest. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
2.2.5. /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/status
Parameter | Type | Description |
---|---|---|
|
| name of the CertificateSigningRequest |
- HTTP method
-
GET
- Description
- read status of the specified CertificateSigningRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update status of the specified CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace status of the specified CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
2.2.6. /apis/certificates.k8s.io/v1/certificatesigningrequests/{name}/approval
Parameter | Type | Description |
---|---|---|
|
| name of the CertificateSigningRequest |
- HTTP method
-
GET
- Description
- read approval of the specified CertificateSigningRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update approval of the specified CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace approval of the specified CertificateSigningRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
Chapter 3. CredentialsRequest [cloudcredential.openshift.io/v1]
- Description
- CredentialsRequest is the Schema for the credentialsrequests API
- Type
-
object
- Required
-
spec
-
3.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | |
|
| CredentialsRequestSpec defines the desired state of CredentialsRequest |
|
| CredentialsRequestStatus defines the observed state of CredentialsRequest |
3.1.1. .spec
- Description
- CredentialsRequestSpec defines the desired state of CredentialsRequest
- Type
-
object
- Required
-
secretRef
-
Property | Type | Description |
---|---|---|
|
| cloudTokenPath is the path where the Kubernetes ServiceAccount token (JSON Web Token) is mounted on the deployment for the workload requesting a credentials secret. The presence of this field in combination with fields such as spec.providerSpec.stsIAMRoleARN indicate that CCO should broker creation of a credentials secret containing fields necessary for token based authentication methods such as with the AWS Secure Token Service (STS). cloudTokenPath may also be used to specify the azure_federated_token_file path used in Azure configuration secrets generated by ccoctl. Defaults to "/var/run/secrets/openshift/serviceaccount/token". |
| `` | ProviderSpec contains the cloud provider specific credentials specification. |
|
| SecretRef points to the secret where the credentials should be stored once generated. |
|
| ServiceAccountNames contains a list of ServiceAccounts that will use permissions associated with this CredentialsRequest. This is not used by CCO, but the information is needed for being able to properly set up access control in the cloud provider when the ServiceAccounts are used as part of the cloud credentials flow. |
3.1.2. .spec.secretRef
- Description
- SecretRef points to the secret where the credentials should be stored once generated.
- Type
-
object
Property | Type | Description |
---|---|---|
|
| API version of the referent. |
|
| If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future. |
|
| Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
| Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
| Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency |
|
| UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids |
3.1.3. .status
- Description
- CredentialsRequestStatus defines the observed state of CredentialsRequest
- Type
-
object
- Required
-
lastSyncGeneration
-
provisioned
-
Property | Type | Description |
---|---|---|
|
| Conditions includes detailed status for the CredentialsRequest |
|
| CredentialsRequestCondition contains details for any of the conditions on a CredentialsRequest object |
|
| LastSyncCloudCredsSecretResourceVersion is the resource version of the cloud credentials secret resource when the credentials request resource was last synced. Used to determine if the cloud credentials have been updated since the last sync. |
|
| LastSyncGeneration is the generation of the credentials request resource that was last synced. Used to determine if the object has changed and requires a sync. |
|
| LastSyncTimestamp is the time that the credentials were last synced. |
| `` | ProviderStatus contains cloud provider specific status. |
|
| Provisioned is true once the credentials have been initially provisioned. |
3.1.4. .status.conditions
- Description
- Conditions includes detailed status for the CredentialsRequest
- Type
-
array
3.1.5. .status.conditions[]
- Description
- CredentialsRequestCondition contains details for any of the conditions on a CredentialsRequest object
- Type
-
object
- Required
-
status
-
type
-
Property | Type | Description |
---|---|---|
|
| LastProbeTime is the last time we probed the condition |
|
| LastTransitionTime is the last time the condition transitioned from one status to another. |
|
| Message is a human-readable message indicating details about the last transition |
|
| Reason is a unique, one-word, CamelCase reason for the condition’s last transition |
|
| Status is the status of the condition |
|
| Type is the specific type of the condition |
3.2. API endpoints
The following API endpoints are available:
/apis/cloudcredential.openshift.io/v1/credentialsrequests
-
GET
: list objects of kind CredentialsRequest
-
/apis/cloudcredential.openshift.io/v1/namespaces/{namespace}/credentialsrequests
-
DELETE
: delete collection of CredentialsRequest -
GET
: list objects of kind CredentialsRequest -
POST
: create a CredentialsRequest
-
/apis/cloudcredential.openshift.io/v1/namespaces/{namespace}/credentialsrequests/{name}
-
DELETE
: delete a CredentialsRequest -
GET
: read the specified CredentialsRequest -
PATCH
: partially update the specified CredentialsRequest -
PUT
: replace the specified CredentialsRequest
-
/apis/cloudcredential.openshift.io/v1/namespaces/{namespace}/credentialsrequests/{name}/status
-
GET
: read status of the specified CredentialsRequest -
PATCH
: partially update status of the specified CredentialsRequest -
PUT
: replace status of the specified CredentialsRequest
-
3.2.1. /apis/cloudcredential.openshift.io/v1/credentialsrequests
- HTTP method
-
GET
- Description
- list objects of kind CredentialsRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
3.2.2. /apis/cloudcredential.openshift.io/v1/namespaces/{namespace}/credentialsrequests
- HTTP method
-
DELETE
- Description
- delete collection of CredentialsRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list objects of kind CredentialsRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create a CredentialsRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
3.2.3. /apis/cloudcredential.openshift.io/v1/namespaces/{namespace}/credentialsrequests/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the CredentialsRequest |
- HTTP method
-
DELETE
- Description
- delete a CredentialsRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified CredentialsRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified CredentialsRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified CredentialsRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
3.2.4. /apis/cloudcredential.openshift.io/v1/namespaces/{namespace}/credentialsrequests/{name}/status
Parameter | Type | Description |
---|---|---|
|
| name of the CredentialsRequest |
- HTTP method
-
GET
- Description
- read status of the specified CredentialsRequest
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update status of the specified CredentialsRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace status of the specified CredentialsRequest
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
Chapter 4. PodSecurityPolicyReview [security.openshift.io/v1]
- Description
PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the
PodTemplateSpec
in question.Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
- Type
-
object
- Required
-
spec
-
4.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview |
|
| PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview. |
4.1.1. .spec
- Description
- PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
- Type
-
object
- Required
-
template
-
Property | Type | Description |
---|---|---|
|
| serviceAccountNames is an optional set of ServiceAccounts to run the check with. If serviceAccountNames is empty, the template.spec.serviceAccountName is used, unless it’s empty, in which case "default" is used instead. If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. |
| template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, in which case "default" is used. If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. |
4.1.2. .status
- Description
- PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
- Type
-
object
- Required
-
allowedServiceAccounts
-
Property | Type | Description |
---|---|---|
|
| allowedServiceAccounts returns the list of service accounts in this namespace that have the power to create the PodTemplateSpec. |
|
| ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status |
4.1.3. .status.allowedServiceAccounts
- Description
- allowedServiceAccounts returns the list of service accounts in this namespace that have the power to create the PodTemplateSpec.
- Type
-
array
4.1.4. .status.allowedServiceAccounts[]
- Description
- ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
- Type
-
object
- Required
-
name
-
Property | Type | Description |
---|---|---|
|
allowedBy is a reference to the rule that allows the PodTemplateSpec. A rule can be a SecurityContextConstraint or a PodSecurityPolicy A | |
|
| name contains the allowed and the denied ServiceAccount name |
|
| A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. |
| template is the PodTemplateSpec after the defaulting is applied. |
4.2. API endpoints
The following API endpoints are available:
/apis/security.openshift.io/v1/namespaces/{namespace}/podsecuritypolicyreviews
-
POST
: create a PodSecurityPolicyReview
-
4.2.1. /apis/security.openshift.io/v1/namespaces/{namespace}/podsecuritypolicyreviews
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
- HTTP method
-
POST
- Description
- create a PodSecurityPolicyReview
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
Chapter 5. PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- Description
PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
- Type
-
object
- Required
-
spec
-
5.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview. |
|
| PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. |
5.1.1. .spec
- Description
- PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
- Type
-
object
- Required
-
template
-
Property | Type | Description |
---|---|---|
| template is the PodTemplateSpec to check. |
5.1.2. .status
- Description
- PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
- Type
-
object
Property | Type | Description |
---|---|---|
|
allowedBy is a reference to the rule that allows the PodTemplateSpec. A rule can be a SecurityContextConstraint or a PodSecurityPolicy A | |
|
| A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. |
| template is the PodTemplateSpec after the defaulting is applied. |
5.2. API endpoints
The following API endpoints are available:
/apis/security.openshift.io/v1/namespaces/{namespace}/podsecuritypolicyselfsubjectreviews
-
POST
: create a PodSecurityPolicySelfSubjectReview
-
5.2.1. /apis/security.openshift.io/v1/namespaces/{namespace}/podsecuritypolicyselfsubjectreviews
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
- HTTP method
-
POST
- Description
- create a PodSecurityPolicySelfSubjectReview
Parameter | Type | Description |
---|---|---|
|
HTTP code | Reponse body |
---|---|
200 - OK | |
201 - Created | |
202 - Accepted | |
401 - Unauthorized | Empty |
Chapter 6. PodSecurityPolicySubjectReview [security.openshift.io/v1]
- Description
PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
- Type
-
object
- Required
-
spec
-
6.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview |
|
| PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. |
6.1.1. .spec
- Description
- PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
- Type
-
object
- Required
-
template
-
Property | Type | Description |
---|---|---|
|
| groups is the groups you’re testing for. |
| template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. If its non-empty, it will be checked. | |
|
| user is the user you’re testing for. If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups. If user and groups are empty, then the check is performed using only the serviceAccountName in the template. |
6.1.2. .status
- Description
- PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
- Type
-
object
Property | Type | Description |
---|---|---|
|
allowedBy is a reference to the rule that allows the PodTemplateSpec. A rule can be a SecurityContextConstraint or a PodSecurityPolicy A | |
|
| A machine-readable description of why this operation is in the "Failure" status. If this value is empty there is no information available. |
| template is the PodTemplateSpec after the defaulting is applied. |
6.2. API endpoints
The following API endpoints are available:
/apis/security.openshift.io/v1/namespaces/{namespace}/podsecuritypolicysubjectreviews
-
POST
: create a PodSecurityPolicySubjectReview
-
6.2.1. /apis/security.openshift.io/v1/namespaces/{namespace}/podsecuritypolicysubjectreviews
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
- HTTP method
-
POST
- Description
- create a PodSecurityPolicySubjectReview
Parameter | Type | Description |
---|---|---|
|
HTTP code | Reponse body |
---|---|
200 - OK | |
201 - Created | |
202 - Accepted | |
401 - Unauthorized | Empty |
Chapter 7. RangeAllocation [security.openshift.io/v1]
- Description
RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
- Type
-
object
- Required
-
range
-
data
-
7.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| data is a byte array representing the serialized state of a range allocation. It is a bitmap with each bit set to one to represent a range is taken. |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| metadata is the standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | |
|
| range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000". |
7.2. API endpoints
The following API endpoints are available:
/apis/security.openshift.io/v1/rangeallocations
-
DELETE
: delete collection of RangeAllocation -
GET
: list or watch objects of kind RangeAllocation -
POST
: create a RangeAllocation
-
/apis/security.openshift.io/v1/watch/rangeallocations
-
GET
: watch individual changes to a list of RangeAllocation. deprecated: use the 'watch' parameter with a list operation instead.
-
/apis/security.openshift.io/v1/rangeallocations/{name}
-
DELETE
: delete a RangeAllocation -
GET
: read the specified RangeAllocation -
PATCH
: partially update the specified RangeAllocation -
PUT
: replace the specified RangeAllocation
-
/apis/security.openshift.io/v1/watch/rangeallocations/{name}
-
GET
: watch changes to an object of kind RangeAllocation. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
-
7.2.1. /apis/security.openshift.io/v1/rangeallocations
- HTTP method
-
DELETE
- Description
- delete collection of RangeAllocation
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list or watch objects of kind RangeAllocation
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create a RangeAllocation
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
7.2.2. /apis/security.openshift.io/v1/watch/rangeallocations
- HTTP method
-
GET
- Description
- watch individual changes to a list of RangeAllocation. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
7.2.3. /apis/security.openshift.io/v1/rangeallocations/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the RangeAllocation |
- HTTP method
-
DELETE
- Description
- delete a RangeAllocation
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified RangeAllocation
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified RangeAllocation
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified RangeAllocation
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
7.2.4. /apis/security.openshift.io/v1/watch/rangeallocations/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the RangeAllocation |
- HTTP method
-
GET
- Description
- watch changes to an object of kind RangeAllocation. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
Chapter 8. Secret [v1]
- Description
- Secret holds secret data of a certain type. The total bytes of the values in the Data field must be less than MaxSecretSize bytes.
- Type
-
object
8.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| Data contains the secret data. Each key must consist of alphanumeric characters, '-', '_' or '.'. The serialized form of the secret data is a base64 encoded string, representing the arbitrary (possibly non-string) data value here. Described in https://tools.ietf.org/html/rfc4648#section-4 |
|
| Immutable, if set to true, ensures that data stored in the Secret cannot be updated (only object metadata can be modified). If not set to true, the field can be modified at any time. Defaulted to nil. |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | |
|
| stringData allows specifying non-binary secret data in string form. It is provided as a write-only input field for convenience. All keys and values are merged into the data field on write, overwriting any existing values. The stringData field is never output when reading from the API. |
|
| Used to facilitate programmatic handling of secret data. More info: https://kubernetes.io/docs/concepts/configuration/secret/#secret-types |
8.2. API endpoints
The following API endpoints are available:
/api/v1/secrets
-
GET
: list or watch objects of kind Secret
-
/api/v1/watch/secrets
-
GET
: watch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.
-
/api/v1/namespaces/{namespace}/secrets
-
DELETE
: delete collection of Secret -
GET
: list or watch objects of kind Secret -
POST
: create a Secret
-
/api/v1/watch/namespaces/{namespace}/secrets
-
GET
: watch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.
-
/api/v1/namespaces/{namespace}/secrets/{name}
-
DELETE
: delete a Secret -
GET
: read the specified Secret -
PATCH
: partially update the specified Secret -
PUT
: replace the specified Secret
-
/api/v1/watch/namespaces/{namespace}/secrets/{name}
-
GET
: watch changes to an object of kind Secret. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
-
8.2.1. /api/v1/secrets
- HTTP method
-
GET
- Description
- list or watch objects of kind Secret
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
8.2.2. /api/v1/watch/secrets
- HTTP method
-
GET
- Description
- watch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
8.2.3. /api/v1/namespaces/{namespace}/secrets
- HTTP method
-
DELETE
- Description
- delete collection of Secret
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list or watch objects of kind Secret
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create a Secret
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
8.2.4. /api/v1/watch/namespaces/{namespace}/secrets
- HTTP method
-
GET
- Description
- watch individual changes to a list of Secret. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
8.2.5. /api/v1/namespaces/{namespace}/secrets/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the Secret |
- HTTP method
-
DELETE
- Description
- delete a Secret
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified Secret
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified Secret
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified Secret
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
8.2.6. /api/v1/watch/namespaces/{namespace}/secrets/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the Secret |
- HTTP method
-
GET
- Description
- watch changes to an object of kind Secret. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
Chapter 9. SecurityContextConstraints [security.openshift.io/v1]
- Description
- SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons SCC was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints. Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
- Type
-
object
- Required
-
allowHostDirVolumePlugin
-
allowHostIPC
-
allowHostNetwork
-
allowHostPID
-
allowHostPorts
-
allowPrivilegedContainer
-
readOnlyRootFilesystem
-
9.1. Specification
Property | Type | Description |
---|---|---|
|
| AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin |
|
| AllowHostIPC determines if the policy allows host ipc in the containers. |
|
| AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. |
|
| AllowHostPID determines if the policy allows host pid in the containers. |
|
| AllowHostPorts determines if the policy allows host ports in the containers. |
| `` | AllowPrivilegeEscalation determines if a pod can request to allow privilege escalation. If unspecified, defaults to true. |
|
| AllowPrivilegedContainer determines if a container can request to be run as privileged. |
| `` | AllowedCapabilities is a list of capabilities that can be requested to add to the container. Capabilities in this field maybe added at the pod author’s discretion. You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. To allow all capabilities you may use '*'. |
| `` | AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes is allowed in the "Volumes" field. |
| `` | AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "" in which case it is considered as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. Examples: e.g. "foo/" allows "foo/bar", "foo/baz", etc. e.g. "foo.*" allows "foo.bar", "foo.baz", etc. |
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
| `` | DefaultAddCapabilities is the default set of capabilities that will be added to the container unless the pod spec specifically drops the capability. You may not list a capabiility in both DefaultAddCapabilities and RequiredDropCapabilities. |
| `` | DefaultAllowPrivilegeEscalation controls the default setting for whether a process can gain more privileges than its parent process. |
| `` | ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. Each entry is either a plain sysctl name or ends in "" in which case it is considered as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. Examples: e.g. "foo/" forbids "foo/bar", "foo/baz", etc. e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. |
| `` | FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. |
| `` | The groups that have permission to use this security context constraints |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | |
| `` | Priority influences the sort order of SCCs when evaluating which SCCs to try first for a given pod request based on access in the Users and Groups fields. The higher the int, the higher priority. An unset value is considered a 0 priority. If scores for multiple SCCs are equal they will be sorted from most restrictive to least restrictive. If both priorities and restrictions are equal the SCCs will be sorted by name. |
|
| ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file system. If the container specifically requests to run with a non-read only root file system the SCC should deny the pod. If set to false the container may run with a read only root file system if it wishes but it will not be forced to. |
| `` | RequiredDropCapabilities are the capabilities that will be dropped from the container. These are required to be dropped and cannot be added. |
| `` | RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. |
| `` | SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. |
| `` | SeccompProfiles lists the allowed profiles that may be set for the pod or container’s seccomp annotations. An unset (nil) or empty value means that no profiles may be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When used to generate a value for a pod the first non-wildcard profile will be used as the default. |
| `` | SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. |
| `` | The users who have permissions to use this security context constraints |
| `` | Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". To allow no volumes, set to ["none"]. |
9.2. API endpoints
The following API endpoints are available:
/apis/security.openshift.io/v1/securitycontextconstraints
-
DELETE
: delete collection of SecurityContextConstraints -
GET
: list objects of kind SecurityContextConstraints -
POST
: create SecurityContextConstraints
-
/apis/security.openshift.io/v1/watch/securitycontextconstraints
-
GET
: watch individual changes to a list of SecurityContextConstraints. deprecated: use the 'watch' parameter with a list operation instead.
-
/apis/security.openshift.io/v1/securitycontextconstraints/{name}
-
DELETE
: delete SecurityContextConstraints -
GET
: read the specified SecurityContextConstraints -
PATCH
: partially update the specified SecurityContextConstraints -
PUT
: replace the specified SecurityContextConstraints
-
/apis/security.openshift.io/v1/watch/securitycontextconstraints/{name}
-
GET
: watch changes to an object of kind SecurityContextConstraints. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
-
9.2.1. /apis/security.openshift.io/v1/securitycontextconstraints
- HTTP method
-
DELETE
- Description
- delete collection of SecurityContextConstraints
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list objects of kind SecurityContextConstraints
HTTP code | Reponse body |
---|---|
200 - OK | |
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create SecurityContextConstraints
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
9.2.2. /apis/security.openshift.io/v1/watch/securitycontextconstraints
- HTTP method
-
GET
- Description
- watch individual changes to a list of SecurityContextConstraints. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
9.2.3. /apis/security.openshift.io/v1/securitycontextconstraints/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the SecurityContextConstraints |
- HTTP method
-
DELETE
- Description
- delete SecurityContextConstraints
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified SecurityContextConstraints
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified SecurityContextConstraints
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified SecurityContextConstraints
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
9.2.4. /apis/security.openshift.io/v1/watch/securitycontextconstraints/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the SecurityContextConstraints |
- HTTP method
-
GET
- Description
- watch changes to an object of kind SecurityContextConstraints. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
Chapter 10. ServiceAccount [v1]
- Description
- ServiceAccount binds together: * a name, understood by users, and perhaps by peripheral systems, for an identity * a principal that can be authenticated and authorized * a set of secrets
- Type
-
object
10.1. Specification
Property | Type | Description |
---|---|---|
|
| APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources |
|
| AutomountServiceAccountToken indicates whether pods running as this service account should have an API token automatically mounted. Can be overridden at the pod level. |
|
| ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod |
|
| LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace. |
|
| Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
| Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata | |
|
| Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret |
|
| ObjectReference contains enough information to let you inspect or modify the referred object. |
10.1.1. .imagePullSecrets
- Description
- ImagePullSecrets is a list of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod
- Type
-
array
10.1.2. .imagePullSecrets[]
- Description
- LocalObjectReference contains enough information to let you locate the referenced object inside the same namespace.
- Type
-
object
Property | Type | Description |
---|---|---|
|
| Name of the referent. This field is effectively required, but due to backwards compatibility is allowed to be empty. Instances of this type with an empty value here are almost certainly wrong. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
10.1.3. .secrets
- Description
- Secrets is a list of the secrets in the same namespace that pods running using this ServiceAccount are allowed to use. Pods are only limited to this list if this service account has a "kubernetes.io/enforce-mountable-secrets" annotation set to "true". This field should not be used to find auto-generated service account token secrets for use outside of pods. Instead, tokens can be requested directly using the TokenRequest API, or service account token secrets can be manually created. More info: https://kubernetes.io/docs/concepts/configuration/secret
- Type
-
array
10.1.4. .secrets[]
- Description
- ObjectReference contains enough information to let you inspect or modify the referred object.
- Type
-
object
Property | Type | Description |
---|---|---|
|
| API version of the referent. |
|
| If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: "spec.containers{name}" (where "name" refers to the name of the container that triggered the event) or if no container name is specified "spec.containers[2]" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. |
|
| Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds |
|
| Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
|
| Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
|
| Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency |
|
| UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids |
10.2. API endpoints
The following API endpoints are available:
/api/v1/serviceaccounts
-
GET
: list or watch objects of kind ServiceAccount
-
/api/v1/watch/serviceaccounts
-
GET
: watch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.
-
/api/v1/namespaces/{namespace}/serviceaccounts
-
DELETE
: delete collection of ServiceAccount -
GET
: list or watch objects of kind ServiceAccount -
POST
: create a ServiceAccount
-
/api/v1/watch/namespaces/{namespace}/serviceaccounts
-
GET
: watch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.
-
/api/v1/namespaces/{namespace}/serviceaccounts/{name}
-
DELETE
: delete a ServiceAccount -
GET
: read the specified ServiceAccount -
PATCH
: partially update the specified ServiceAccount -
PUT
: replace the specified ServiceAccount
-
/api/v1/watch/namespaces/{namespace}/serviceaccounts/{name}
-
GET
: watch changes to an object of kind ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
-
10.2.1. /api/v1/serviceaccounts
- HTTP method
-
GET
- Description
- list or watch objects of kind ServiceAccount
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
10.2.2. /api/v1/watch/serviceaccounts
- HTTP method
-
GET
- Description
- watch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
10.2.3. /api/v1/namespaces/{namespace}/serviceaccounts
- HTTP method
-
DELETE
- Description
- delete collection of ServiceAccount
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- list or watch objects of kind ServiceAccount
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
POST
- Description
- create a ServiceAccount
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
10.2.4. /api/v1/watch/namespaces/{namespace}/serviceaccounts
- HTTP method
-
GET
- Description
- watch individual changes to a list of ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
10.2.5. /api/v1/namespaces/{namespace}/serviceaccounts/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the ServiceAccount |
- HTTP method
-
DELETE
- Description
- delete a ServiceAccount
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
HTTP code | Reponse body |
---|---|
200 - OK |
|
202 - Accepted |
|
401 - Unauthorized | Empty |
- HTTP method
-
GET
- Description
- read the specified ServiceAccount
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
- HTTP method
-
PATCH
- Description
- partially update the specified ServiceAccount
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
- HTTP method
-
PUT
- Description
- replace the specified ServiceAccount
Parameter | Type | Description |
---|---|---|
|
| When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed |
|
| fieldValidation instructs the server on how to handle objects in the request (POST/PUT/PATCH) containing unknown or duplicate fields. Valid values are: - Ignore: This will ignore any unknown fields that are silently dropped from the object, and will ignore all but the last duplicate field that the decoder encounters. This is the default behavior prior to v1.23. - Warn: This will send a warning via the standard warning response header for each unknown field that is dropped from the object, and for each duplicate field that is encountered. The request will still succeed if there are no other errors, and will only persist the last of any duplicate fields. This is the default in v1.23+ - Strict: This will fail the request with a BadRequest error if any unknown fields would be dropped from the object, or if any duplicate fields are present. The error returned from the server will contain all unknown and duplicate fields encountered. |
Parameter | Type | Description |
---|---|---|
|
|
HTTP code | Reponse body |
---|---|
200 - OK |
|
201 - Created |
|
401 - Unauthorized | Empty |
10.2.6. /api/v1/watch/namespaces/{namespace}/serviceaccounts/{name}
Parameter | Type | Description |
---|---|---|
|
| name of the ServiceAccount |
- HTTP method
-
GET
- Description
- watch changes to an object of kind ServiceAccount. deprecated: use the 'watch' parameter with a list operation instead, filtered to a single item with the 'fieldSelector' parameter.
HTTP code | Reponse body |
---|---|
200 - OK |
|
401 - Unauthorized | Empty |
Legal Notice
Copyright © 2024 Red Hat, Inc.
OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).
Modified versions must remove all Red Hat trademarks.
Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.
Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.