POST /oapi/v1/podsecuritypolicyreviews HTTP/1.1 Authorization: Bearer $TOKEN Accept: application/json Connection: close Content-Type: application/json' { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", ... }
PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the PodTemplateSpec
in question.
Expand or mouse-over a field for more information about it.
apiVersion:kind:spec:
serviceAccountNames:
- [string]:template:
metadata:
annotations:
[string]:clusterName:creationTimestamp:deletionGracePeriodSeconds:deletionTimestamp:finalizers:
- [string]:generateName:generation:initializers:
pending:
- name:result:
apiVersion:code:details:
causes:
- field:message:reason:group:kind:name:retryAfterSeconds:uid:kind:message:metadata:
continue:resourceVersion:selfLink:reason:status:labels:
[string]:name:namespace:ownerReferences:
- apiVersion:blockOwnerDeletion:controller:kind:name:uid:resourceVersion:selfLink:uid:spec:
activeDeadlineSeconds:affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
- matchExpressions:
- - key:operator:values:
- [string]:weight:requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- - key:operator:values:
- [string]:podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:automountServiceAccountToken:containers:
- args:
- - [string]:command:
- [string]:env:
- name:value:valueFrom:
configMapKeyRef:
key:name:optional:fieldRef:
apiVersion:fieldPath:resourceFieldRef:
containerName:divisor:resource:secretKeyRef:
key:name:optional:envFrom:
- configMapRef:
- name:optional:prefix:secretRef:
name:optional:image:imagePullPolicy:lifecycle:
postStart:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:preStop:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:livenessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:name:ports:
- containerPort:hostIP:hostPort:name:protocol:readinessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:resources:
limits:
[string]:requests:
[string]:securityContext:
allowPrivilegeEscalation:capabilities:
add:
- [string]:drop:
- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:
level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeDevices:
- devicePath:name:volumeMounts:
- mountPath:mountPropagation:name:readOnly:subPath:workingDir:dnsConfig:
nameservers:
- [string]:options:
- name:value:searches:
- [string]:dnsPolicy:hostAliases:
- hostnames:
- - [string]:ip:hostIPC:hostNetwork:hostPID:hostname:imagePullSecrets:
- name:initContainers:
- args:
- - [string]:command:
- [string]:env:
- name:value:valueFrom:
configMapKeyRef:
key:name:optional:fieldRef:
apiVersion:fieldPath:resourceFieldRef:
containerName:divisor:resource:secretKeyRef:
key:name:optional:envFrom:
- configMapRef:
- name:optional:prefix:secretRef:
name:optional:image:imagePullPolicy:lifecycle:
postStart:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:preStop:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:livenessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:name:ports:
- containerPort:hostIP:hostPort:name:protocol:readinessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:resources:
limits:
[string]:requests:
[string]:securityContext:
allowPrivilegeEscalation:capabilities:
add:
- [string]:drop:
- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:
level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeDevices:
- devicePath:name:volumeMounts:
- mountPath:mountPropagation:name:readOnly:subPath:workingDir:nodeName:nodeSelector:
[string]:priority:priorityClassName:restartPolicy:schedulerName:securityContext:
fsGroup:runAsNonRoot:runAsUser:seLinuxOptions:
level:role:type:user:supplementalGroups:
- [integer]:serviceAccount:serviceAccountName:subdomain:terminationGracePeriodSeconds:tolerations:
- effect:key:operator:tolerationSeconds:value:volumes:
- awsElasticBlockStore:
- fsType:partition:readOnly:volumeID:azureDisk:
cachingMode:diskName:diskURI:fsType:kind:readOnly:azureFile:
readOnly:secretName:shareName:cephfs:
monitors:
- [string]:path:readOnly:secretFile:secretRef:
name:user:cinder:
fsType:readOnly:volumeID:configMap:
defaultMode:items:
- key:mode:path:name:optional:downwardAPI:
defaultMode:items:
- fieldRef:
- apiVersion:fieldPath:mode:path:resourceFieldRef:
containerName:divisor:resource:emptyDir:
medium:sizeLimit:fc:
fsType:lun:readOnly:targetWWNs:
- [string]:wwids:
- [string]:flexVolume:
driver:fsType:options:
[string]:readOnly:secretRef:
name:flocker:
datasetName:datasetUUID:gcePersistentDisk:
fsType:partition:pdName:readOnly:gitRepo:
directory:repository:revision:glusterfs:
endpoints:path:readOnly:hostPath:
path:type:iscsi:
chapAuthDiscovery:chapAuthSession:fsType:initiatorName:iqn:iscsiInterface:lun:portals:
- [string]:readOnly:secretRef:
name:targetPortal:name:nfs:
path:readOnly:server:persistentVolumeClaim:
claimName:readOnly:photonPersistentDisk:
fsType:pdID:portworxVolume:
fsType:readOnly:volumeID:projected:
defaultMode:sources:
- configMap:
- items:
- - key:mode:path:name:optional:downwardAPI:
items:
- fieldRef:
- apiVersion:fieldPath:mode:path:resourceFieldRef:
containerName:divisor:resource:secret:
items:
- key:mode:path:name:optional:quobyte:
group:readOnly:registry:user:volume:rbd:
fsType:image:keyring:monitors:
- [string]:pool:readOnly:secretRef:
name:user:scaleIO:
fsType:gateway:protectionDomain:readOnly:secretRef:
name:sslEnabled:storageMode:storagePool:system:volumeName:secret:
defaultMode:items:
- key:mode:path:optional:secretName:storageos:
fsType:readOnly:secretRef:
name:volumeName:volumeNamespace:vsphereVolume:
fsType:storagePolicyID:storagePolicyName:volumePath:status:
allowedServiceAccounts:
- allowedBy:
- apiVersion:fieldPath:kind:name:namespace:resourceVersion:uid:name:reason:template:
metadata:
annotations:
[string]:clusterName:creationTimestamp:deletionGracePeriodSeconds:deletionTimestamp:finalizers:
- [string]:generateName:generation:initializers:
pending:
- name:result:
apiVersion:code:details:
causes:
- field:message:reason:group:kind:name:retryAfterSeconds:uid:kind:message:metadata:
continue:resourceVersion:selfLink:reason:status:labels:
[string]:name:namespace:ownerReferences:
- apiVersion:blockOwnerDeletion:controller:kind:name:uid:resourceVersion:selfLink:uid:spec:
activeDeadlineSeconds:affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
- matchExpressions:
- - key:operator:values:
- [string]:weight:requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- - key:operator:values:
- [string]:podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:weight:requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:operator:values:
- [string]:matchLabels:
[string]:namespaces:
- [string]:topologyKey:automountServiceAccountToken:containers:
- args:
- - [string]:command:
- [string]:env:
- name:value:valueFrom:
configMapKeyRef:
key:name:optional:fieldRef:
apiVersion:fieldPath:resourceFieldRef:
containerName:divisor:resource:secretKeyRef:
key:name:optional:envFrom:
- configMapRef:
- name:optional:prefix:secretRef:
name:optional:image:imagePullPolicy:lifecycle:
postStart:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:preStop:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:livenessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:name:ports:
- containerPort:hostIP:hostPort:name:protocol:readinessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:resources:
limits:
[string]:requests:
[string]:securityContext:
allowPrivilegeEscalation:capabilities:
add:
- [string]:drop:
- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:
level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeDevices:
- devicePath:name:volumeMounts:
- mountPath:mountPropagation:name:readOnly:subPath:workingDir:dnsConfig:
nameservers:
- [string]:options:
- name:value:searches:
- [string]:dnsPolicy:hostAliases:
- hostnames:
- - [string]:ip:hostIPC:hostNetwork:hostPID:hostname:imagePullSecrets:
- name:initContainers:
- args:
- - [string]:command:
- [string]:env:
- name:value:valueFrom:
configMapKeyRef:
key:name:optional:fieldRef:
apiVersion:fieldPath:resourceFieldRef:
containerName:divisor:resource:secretKeyRef:
key:name:optional:envFrom:
- configMapRef:
- name:optional:prefix:secretRef:
name:optional:image:imagePullPolicy:lifecycle:
postStart:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:preStop:
exec:
command:
- [string]:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:tcpSocket:
host:port:livenessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:name:ports:
- containerPort:hostIP:hostPort:name:protocol:readinessProbe:
exec:
command:
- [string]:failureThreshold:httpGet:
host:httpHeaders:
- name:value:path:port:scheme:initialDelaySeconds:periodSeconds:successThreshold:tcpSocket:
host:port:timeoutSeconds:resources:
limits:
[string]:requests:
[string]:securityContext:
allowPrivilegeEscalation:capabilities:
add:
- [string]:drop:
- [string]:privileged:readOnlyRootFilesystem:runAsNonRoot:runAsUser:seLinuxOptions:
level:role:type:user:stdin:stdinOnce:terminationMessagePath:terminationMessagePolicy:tty:volumeDevices:
- devicePath:name:volumeMounts:
- mountPath:mountPropagation:name:readOnly:subPath:workingDir:nodeName:nodeSelector:
[string]:priority:priorityClassName:restartPolicy:schedulerName:securityContext:
fsGroup:runAsNonRoot:runAsUser:seLinuxOptions:
level:role:type:user:supplementalGroups:
- [integer]:serviceAccount:serviceAccountName:subdomain:terminationGracePeriodSeconds:tolerations:
- effect:key:operator:tolerationSeconds:value:volumes:
- awsElasticBlockStore:
- fsType:partition:readOnly:volumeID:azureDisk:
cachingMode:diskName:diskURI:fsType:kind:readOnly:azureFile:
readOnly:secretName:shareName:cephfs:
monitors:
- [string]:path:readOnly:secretFile:secretRef:
name:user:cinder:
fsType:readOnly:volumeID:configMap:
defaultMode:items:
- key:mode:path:name:optional:downwardAPI:
defaultMode:items:
- fieldRef:
- apiVersion:fieldPath:mode:path:resourceFieldRef:
containerName:divisor:resource:emptyDir:
medium:sizeLimit:fc:
fsType:lun:readOnly:targetWWNs:
- [string]:wwids:
- [string]:flexVolume:
driver:fsType:options:
[string]:readOnly:secretRef:
name:flocker:
datasetName:datasetUUID:gcePersistentDisk:
fsType:partition:pdName:readOnly:gitRepo:
directory:repository:revision:glusterfs:
endpoints:path:readOnly:hostPath:
path:type:iscsi:
chapAuthDiscovery:chapAuthSession:fsType:initiatorName:iqn:iscsiInterface:lun:portals:
- [string]:readOnly:secretRef:
name:targetPortal:name:nfs:
path:readOnly:server:persistentVolumeClaim:
claimName:readOnly:photonPersistentDisk:
fsType:pdID:portworxVolume:
fsType:readOnly:volumeID:projected:
defaultMode:sources:
- configMap:
- items:
- - key:mode:path:name:optional:downwardAPI:
items:
- fieldRef:
- apiVersion:fieldPath:mode:path:resourceFieldRef:
containerName:divisor:resource:secret:
items:
- key:mode:path:name:optional:quobyte:
group:readOnly:registry:user:volume:rbd:
fsType:image:keyring:monitors:
- [string]:pool:readOnly:secretRef:
name:user:scaleIO:
fsType:gateway:protectionDomain:readOnly:secretRef:
name:sslEnabled:storageMode:storagePool:system:volumeName:secret:
defaultMode:items:
- key:mode:path:optional:secretName:storageos:
fsType:readOnly:secretRef:
name:volumeName:volumeNamespace:vsphereVolume:
fsType:storagePolicyID:storagePolicyName:volumePath:
Create a PodSecurityPolicyReview
POST /oapi/v1/podsecuritypolicyreviews HTTP/1.1 Authorization: Bearer $TOKEN Accept: application/json Connection: close Content-Type: application/json' { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", ... }
$ curl -k \ -X POST \ -d @- \ -H "Authorization: Bearer $TOKEN" \ -H 'Accept: application/json' \ -H 'Content-Type: application/json' \ https://$ENDPOINT/oapi/v1/podsecuritypolicyreviews <<'EOF' { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", ... } EOF
Create a PodSecurityPolicyReview
POST /oapi/v1/namespaces/$NAMESPACE/podsecuritypolicyreviews HTTP/1.1 Authorization: Bearer $TOKEN Accept: application/json Connection: close Content-Type: application/json' { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", ... }
$ curl -k \ -X POST \ -d @- \ -H "Authorization: Bearer $TOKEN" \ -H 'Accept: application/json' \ -H 'Content-Type: application/json' \ https://$ENDPOINT/oapi/v1/namespaces/$NAMESPACE/podsecuritypolicyreviews <<'EOF' { "kind": "PodSecurityPolicyReview", "apiVersion": "v1", ... } EOF
Parameter | Description |
---|---|
namespace |
object name and auth scope, such as for teams and projects |