Class: TencentCloud::Tke::V20180525::OpenPolicySwitch

Inherits:
Common::AbstractModel
  • Object
show all
Defined in:
lib/v20180525/models.rb

Overview

opa策略开关

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(enforcementaction = nil, name = nil, kind = nil, enabledstatus = nil, openconstraintinfolist = nil) ⇒ OpenPolicySwitch

Returns a new instance of OpenPolicySwitch.



15380
15381
15382
15383
15384
15385
15386
 
# File 'lib/v20180525/models.rb', line 15380

def initialize(enforcementaction=nil, name=nil, kind=nil, enabledstatus=nil, openconstraintinfolist=nil)
  @EnforcementAction = enforcementaction
  @Name = name
  @Kind = kind
  @EnabledStatus = enabledstatus
  @OpenConstraintInfoList = openconstraintinfolist
end

Instance Attribute Details

#EnabledStatusObject

可选策略:blockvolumemountpath:禁止容器挂载指定的目录k8sallowedrepos:容器镜像必须以指定字符串列表中的字符串开头k8sblockendpointeditdefaultrole:禁止默认ClusterRole修改Endpoints k8sblockloadbalancer:不允许Service为LoadBalancer类型k8sblocknodeport:不允许Service为NodePort类型k8sblockwildcardingress:禁止ingress配置空白或通配符类型的hostname k8scontainerlimits:限制容器必须设置CPU和内存Limit k8scontainerratios:限制CPU和内存的Request与Limit的最大比率k8scontainerrequests:限制CPU和内存的Request必须设置且小于配置的最大值k8srequiredresources:必须配置内存的Limit,CPU和内存的Request k8sdisallowanonymous:不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group k8sdisallowedtags:约束容器镜像tag k8sexternalips:限制服务externalIP仅为允许的IP地址列表k8simagedigests:容器镜像必须包含digest noupdateserviceaccount:拒绝白名单外的资源更新ServiceAccount k8sreplicalimits:要求具有spec.replicas字段的对象(Deployments、ReplicaSets等)在定义的范围内k8srequiredannotations:要求资源包含指定的annotations,其值与提供的正则表达式匹配k8srequiredlabels:要求资源包含指定的标签,其值与提供的正则表达式匹配k8srequiredprobes:要求Pod具有Readiness或Liveness Probe k8spspautomountserviceaccounttokenpod:约束容器不能设置automountServiceAccountToken为true k8spspallowprivilegeescalationcontainer:约束PodSecurityPolicy中的allowPrivilegeEscalation字段为false k8spspapparmor:约束AppArmor字段列表k8spspcapabilities:限制PodSecurityPolicy中的allowedCapabilities和requiredDropCapabilities字段k8spspflexvolumes:约束PodSecurityPolicy中的allowedFlexVolumes字段类型k8spspforbiddensysctls:约束PodSecurityPolicy中的sysctls字段不能使用的name k8spspfsgroup:控制PodSecurityPolicy中的fsGroup字段在限制范围内k8spsphostfilesystem:约束PodSecurityPolicy中的hostPath字段的参数k8spsphostnamespace:限制PodSecurityPolicy中的hostPID和hostIPC字段k8spsphostnetworkingports:约束PodSecurityPolicy中的hostNetwork和hostPorts字段k8spspprivilegedcontainer:禁止PodSecurityPolicy中的privileged字段为true k8spspprocmount:约束PodSecurityPolicy中的allowedProcMountTypes字段k8spspreadonlyrootfilesystem:约束PodSecurityPolicy中的readOnlyRootFilesystem字段k8spspseccomp:约束PodSecurityPolicy上的seccomp.security.alpha.kubernetes.io/allowedProfileNames注解k8spspselinuxv2:约束Pod定义SELinux配置的允许列表k8spspallowedusers:约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段k8spspvolumetypes:约束PodSecurityPolicy中的volumes字段类型

Parameters:

  • EnabledStatus:

    策略开关状态:open打开,close关闭

  • OpenConstraintInfoList:

    策略关联的实例列表



15378
15379
15380
 
# File 'lib/v20180525/models.rb', line 15378

def EnabledStatus
  @EnabledStatus
end

#EnforcementActionObject

可选策略:blockvolumemountpath:禁止容器挂载指定的目录k8sallowedrepos:容器镜像必须以指定字符串列表中的字符串开头k8sblockendpointeditdefaultrole:禁止默认ClusterRole修改Endpoints k8sblockloadbalancer:不允许Service为LoadBalancer类型k8sblocknodeport:不允许Service为NodePort类型k8sblockwildcardingress:禁止ingress配置空白或通配符类型的hostname k8scontainerlimits:限制容器必须设置CPU和内存Limit k8scontainerratios:限制CPU和内存的Request与Limit的最大比率k8scontainerrequests:限制CPU和内存的Request必须设置且小于配置的最大值k8srequiredresources:必须配置内存的Limit,CPU和内存的Request k8sdisallowanonymous:不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group k8sdisallowedtags:约束容器镜像tag k8sexternalips:限制服务externalIP仅为允许的IP地址列表k8simagedigests:容器镜像必须包含digest noupdateserviceaccount:拒绝白名单外的资源更新ServiceAccount k8sreplicalimits:要求具有spec.replicas字段的对象(Deployments、ReplicaSets等)在定义的范围内k8srequiredannotations:要求资源包含指定的annotations,其值与提供的正则表达式匹配k8srequiredlabels:要求资源包含指定的标签,其值与提供的正则表达式匹配k8srequiredprobes:要求Pod具有Readiness或Liveness Probe k8spspautomountserviceaccounttokenpod:约束容器不能设置automountServiceAccountToken为true k8spspallowprivilegeescalationcontainer:约束PodSecurityPolicy中的allowPrivilegeEscalation字段为false k8spspapparmor:约束AppArmor字段列表k8spspcapabilities:限制PodSecurityPolicy中的allowedCapabilities和requiredDropCapabilities字段k8spspflexvolumes:约束PodSecurityPolicy中的allowedFlexVolumes字段类型k8spspforbiddensysctls:约束PodSecurityPolicy中的sysctls字段不能使用的name k8spspfsgroup:控制PodSecurityPolicy中的fsGroup字段在限制范围内k8spsphostfilesystem:约束PodSecurityPolicy中的hostPath字段的参数k8spsphostnamespace:限制PodSecurityPolicy中的hostPID和hostIPC字段k8spsphostnetworkingports:约束PodSecurityPolicy中的hostNetwork和hostPorts字段k8spspprivilegedcontainer:禁止PodSecurityPolicy中的privileged字段为true k8spspprocmount:约束PodSecurityPolicy中的allowedProcMountTypes字段k8spspreadonlyrootfilesystem:约束PodSecurityPolicy中的readOnlyRootFilesystem字段k8spspseccomp:约束PodSecurityPolicy上的seccomp.security.alpha.kubernetes.io/allowedProfileNames注解k8spspselinuxv2:约束Pod定义SELinux配置的允许列表k8spspallowedusers:约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段k8spspvolumetypes:约束PodSecurityPolicy中的volumes字段类型

Parameters:

  • EnabledStatus:

    策略开关状态:open打开,close关闭

  • OpenConstraintInfoList:

    策略关联的实例列表



15378
15379
15380
 
# File 'lib/v20180525/models.rb', line 15378

def EnforcementAction
  @EnforcementAction
end

#KindObject

可选策略:blockvolumemountpath:禁止容器挂载指定的目录k8sallowedrepos:容器镜像必须以指定字符串列表中的字符串开头k8sblockendpointeditdefaultrole:禁止默认ClusterRole修改Endpoints k8sblockloadbalancer:不允许Service为LoadBalancer类型k8sblocknodeport:不允许Service为NodePort类型k8sblockwildcardingress:禁止ingress配置空白或通配符类型的hostname k8scontainerlimits:限制容器必须设置CPU和内存Limit k8scontainerratios:限制CPU和内存的Request与Limit的最大比率k8scontainerrequests:限制CPU和内存的Request必须设置且小于配置的最大值k8srequiredresources:必须配置内存的Limit,CPU和内存的Request k8sdisallowanonymous:不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group k8sdisallowedtags:约束容器镜像tag k8sexternalips:限制服务externalIP仅为允许的IP地址列表k8simagedigests:容器镜像必须包含digest noupdateserviceaccount:拒绝白名单外的资源更新ServiceAccount k8sreplicalimits:要求具有spec.replicas字段的对象(Deployments、ReplicaSets等)在定义的范围内k8srequiredannotations:要求资源包含指定的annotations,其值与提供的正则表达式匹配k8srequiredlabels:要求资源包含指定的标签,其值与提供的正则表达式匹配k8srequiredprobes:要求Pod具有Readiness或Liveness Probe k8spspautomountserviceaccounttokenpod:约束容器不能设置automountServiceAccountToken为true k8spspallowprivilegeescalationcontainer:约束PodSecurityPolicy中的allowPrivilegeEscalation字段为false k8spspapparmor:约束AppArmor字段列表k8spspcapabilities:限制PodSecurityPolicy中的allowedCapabilities和requiredDropCapabilities字段k8spspflexvolumes:约束PodSecurityPolicy中的allowedFlexVolumes字段类型k8spspforbiddensysctls:约束PodSecurityPolicy中的sysctls字段不能使用的name k8spspfsgroup:控制PodSecurityPolicy中的fsGroup字段在限制范围内k8spsphostfilesystem:约束PodSecurityPolicy中的hostPath字段的参数k8spsphostnamespace:限制PodSecurityPolicy中的hostPID和hostIPC字段k8spsphostnetworkingports:约束PodSecurityPolicy中的hostNetwork和hostPorts字段k8spspprivilegedcontainer:禁止PodSecurityPolicy中的privileged字段为true k8spspprocmount:约束PodSecurityPolicy中的allowedProcMountTypes字段k8spspreadonlyrootfilesystem:约束PodSecurityPolicy中的readOnlyRootFilesystem字段k8spspseccomp:约束PodSecurityPolicy上的seccomp.security.alpha.kubernetes.io/allowedProfileNames注解k8spspselinuxv2:约束Pod定义SELinux配置的允许列表k8spspallowedusers:约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段k8spspvolumetypes:约束PodSecurityPolicy中的volumes字段类型

Parameters:

  • EnabledStatus:

    策略开关状态:open打开,close关闭

  • OpenConstraintInfoList:

    策略关联的实例列表



15378
15379
15380
 
# File 'lib/v20180525/models.rb', line 15378

def Kind
  @Kind
end

#NameObject

可选策略:blockvolumemountpath:禁止容器挂载指定的目录k8sallowedrepos:容器镜像必须以指定字符串列表中的字符串开头k8sblockendpointeditdefaultrole:禁止默认ClusterRole修改Endpoints k8sblockloadbalancer:不允许Service为LoadBalancer类型k8sblocknodeport:不允许Service为NodePort类型k8sblockwildcardingress:禁止ingress配置空白或通配符类型的hostname k8scontainerlimits:限制容器必须设置CPU和内存Limit k8scontainerratios:限制CPU和内存的Request与Limit的最大比率k8scontainerrequests:限制CPU和内存的Request必须设置且小于配置的最大值k8srequiredresources:必须配置内存的Limit,CPU和内存的Request k8sdisallowanonymous:不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group k8sdisallowedtags:约束容器镜像tag k8sexternalips:限制服务externalIP仅为允许的IP地址列表k8simagedigests:容器镜像必须包含digest noupdateserviceaccount:拒绝白名单外的资源更新ServiceAccount k8sreplicalimits:要求具有spec.replicas字段的对象(Deployments、ReplicaSets等)在定义的范围内k8srequiredannotations:要求资源包含指定的annotations,其值与提供的正则表达式匹配k8srequiredlabels:要求资源包含指定的标签,其值与提供的正则表达式匹配k8srequiredprobes:要求Pod具有Readiness或Liveness Probe k8spspautomountserviceaccounttokenpod:约束容器不能设置automountServiceAccountToken为true k8spspallowprivilegeescalationcontainer:约束PodSecurityPolicy中的allowPrivilegeEscalation字段为false k8spspapparmor:约束AppArmor字段列表k8spspcapabilities:限制PodSecurityPolicy中的allowedCapabilities和requiredDropCapabilities字段k8spspflexvolumes:约束PodSecurityPolicy中的allowedFlexVolumes字段类型k8spspforbiddensysctls:约束PodSecurityPolicy中的sysctls字段不能使用的name k8spspfsgroup:控制PodSecurityPolicy中的fsGroup字段在限制范围内k8spsphostfilesystem:约束PodSecurityPolicy中的hostPath字段的参数k8spsphostnamespace:限制PodSecurityPolicy中的hostPID和hostIPC字段k8spsphostnetworkingports:约束PodSecurityPolicy中的hostNetwork和hostPorts字段k8spspprivilegedcontainer:禁止PodSecurityPolicy中的privileged字段为true k8spspprocmount:约束PodSecurityPolicy中的allowedProcMountTypes字段k8spspreadonlyrootfilesystem:约束PodSecurityPolicy中的readOnlyRootFilesystem字段k8spspseccomp:约束PodSecurityPolicy上的seccomp.security.alpha.kubernetes.io/allowedProfileNames注解k8spspselinuxv2:约束Pod定义SELinux配置的允许列表k8spspallowedusers:约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段k8spspvolumetypes:约束PodSecurityPolicy中的volumes字段类型

Parameters:

  • EnabledStatus:

    策略开关状态:open打开,close关闭

  • OpenConstraintInfoList:

    策略关联的实例列表



15378
15379
15380
 
# File 'lib/v20180525/models.rb', line 15378

def Name
  @Name
end

#OpenConstraintInfoListObject

可选策略:blockvolumemountpath:禁止容器挂载指定的目录k8sallowedrepos:容器镜像必须以指定字符串列表中的字符串开头k8sblockendpointeditdefaultrole:禁止默认ClusterRole修改Endpoints k8sblockloadbalancer:不允许Service为LoadBalancer类型k8sblocknodeport:不允许Service为NodePort类型k8sblockwildcardingress:禁止ingress配置空白或通配符类型的hostname k8scontainerlimits:限制容器必须设置CPU和内存Limit k8scontainerratios:限制CPU和内存的Request与Limit的最大比率k8scontainerrequests:限制CPU和内存的Request必须设置且小于配置的最大值k8srequiredresources:必须配置内存的Limit,CPU和内存的Request k8sdisallowanonymous:不允许将白名单以外的ClusterRole和Role关联到system:anonymous User和system:unauthenticated Group k8sdisallowedtags:约束容器镜像tag k8sexternalips:限制服务externalIP仅为允许的IP地址列表k8simagedigests:容器镜像必须包含digest noupdateserviceaccount:拒绝白名单外的资源更新ServiceAccount k8sreplicalimits:要求具有spec.replicas字段的对象(Deployments、ReplicaSets等)在定义的范围内k8srequiredannotations:要求资源包含指定的annotations,其值与提供的正则表达式匹配k8srequiredlabels:要求资源包含指定的标签,其值与提供的正则表达式匹配k8srequiredprobes:要求Pod具有Readiness或Liveness Probe k8spspautomountserviceaccounttokenpod:约束容器不能设置automountServiceAccountToken为true k8spspallowprivilegeescalationcontainer:约束PodSecurityPolicy中的allowPrivilegeEscalation字段为false k8spspapparmor:约束AppArmor字段列表k8spspcapabilities:限制PodSecurityPolicy中的allowedCapabilities和requiredDropCapabilities字段k8spspflexvolumes:约束PodSecurityPolicy中的allowedFlexVolumes字段类型k8spspforbiddensysctls:约束PodSecurityPolicy中的sysctls字段不能使用的name k8spspfsgroup:控制PodSecurityPolicy中的fsGroup字段在限制范围内k8spsphostfilesystem:约束PodSecurityPolicy中的hostPath字段的参数k8spsphostnamespace:限制PodSecurityPolicy中的hostPID和hostIPC字段k8spsphostnetworkingports:约束PodSecurityPolicy中的hostNetwork和hostPorts字段k8spspprivilegedcontainer:禁止PodSecurityPolicy中的privileged字段为true k8spspprocmount:约束PodSecurityPolicy中的allowedProcMountTypes字段k8spspreadonlyrootfilesystem:约束PodSecurityPolicy中的readOnlyRootFilesystem字段k8spspseccomp:约束PodSecurityPolicy上的seccomp.security.alpha.kubernetes.io/allowedProfileNames注解k8spspselinuxv2:约束Pod定义SELinux配置的允许列表k8spspallowedusers:约束PodSecurityPolicy中的runAsUser、runAsGroup、supplementalGroups和fsGroup字段k8spspvolumetypes:约束PodSecurityPolicy中的volumes字段类型

Parameters:

  • EnabledStatus:

    策略开关状态:open打开,close关闭

  • OpenConstraintInfoList:

    策略关联的实例列表



15378
15379
15380
 
# File 'lib/v20180525/models.rb', line 15378

def OpenConstraintInfoList
  @OpenConstraintInfoList
end

Instance Method Details

#deserialize(params) ⇒ Object 



15388
15389
15390
15391
15392
15393
15394
15395
15396
15397
15398
15399
15400
15401
 
# File 'lib/v20180525/models.rb', line 15388

def deserialize(params)
  @EnforcementAction = params['EnforcementAction']
  @Name = params['Name']
  @Kind = params['Kind']
  @EnabledStatus = params['EnabledStatus']
  unless params['OpenConstraintInfoList'].nil?
    @OpenConstraintInfoList = []
    params['OpenConstraintInfoList'].each do |i|
      openconstraintinfo_tmp = OpenConstraintInfo.new
      openconstraintinfo_tmp.deserialize(i)
      @OpenConstraintInfoList << openconstraintinfo_tmp
    end
  end
end