Description

PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the PodTemplateSpec in question.

Object Schema

Expand or mouse-over a field for more information about it.

apiVersion:
kind:
spec:
serviceAccountNames:
- [string]:
template:
metadata:
annotations:
[string]:
clusterName:
creationTimestamp:
deletionGracePeriodSeconds:
deletionTimestamp:
finalizers:
- [string]:
generateName:
generation:
initializers:
pending:
- name:
result:
apiVersion:
code:
details:
causes:
- field:
message:
reason:
group:
kind:
name:
retryAfterSeconds:
uid:
kind:
message:
metadata:
continue:
resourceVersion:
selfLink:
reason:
status:
labels:
[string]:
name:
namespace:
ownerReferences:
- apiVersion:
blockOwnerDeletion:
controller:
kind:
name:
uid:
resourceVersion:
selfLink:
uid:
spec:
activeDeadlineSeconds:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
- matchExpressions:
- - key:
operator:
values:
- [string]:
weight:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- - key:
operator:
values:
- [string]:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
weight:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
weight:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
automountServiceAccountToken:
containers:
- args:
- - [string]:
command:
- [string]:
env:
- name:
value:
valueFrom:
configMapKeyRef:
key:
name:
optional:
fieldRef:
apiVersion:
fieldPath:
resourceFieldRef:
containerName:
divisor:
resource:
secretKeyRef:
key:
name:
optional:
envFrom:
- configMapRef:
- name:
optional:
prefix:
secretRef:
name:
optional:
image:
imagePullPolicy:
lifecycle:
postStart:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
preStop:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
livenessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
name:
ports:
- containerPort:
hostIP:
hostPort:
name:
protocol:
readinessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
resources:
limits:
[string]:
requests:
[string]:
securityContext:
allowPrivilegeEscalation:
capabilities:
add:
- [string]:
drop:
- [string]:
privileged:
readOnlyRootFilesystem:
runAsNonRoot:
runAsUser:
seLinuxOptions:
level:
role:
type:
user:
stdin:
stdinOnce:
terminationMessagePath:
terminationMessagePolicy:
tty:
volumeDevices:
- devicePath:
name:
volumeMounts:
- mountPath:
mountPropagation:
name:
readOnly:
subPath:
workingDir:
dnsConfig:
nameservers:
- [string]:
options:
- name:
value:
searches:
- [string]:
dnsPolicy:
hostAliases:
- hostnames:
- - [string]:
ip:
hostIPC:
hostNetwork:
hostPID:
hostname:
imagePullSecrets:
- name:
initContainers:
- args:
- - [string]:
command:
- [string]:
env:
- name:
value:
valueFrom:
configMapKeyRef:
key:
name:
optional:
fieldRef:
apiVersion:
fieldPath:
resourceFieldRef:
containerName:
divisor:
resource:
secretKeyRef:
key:
name:
optional:
envFrom:
- configMapRef:
- name:
optional:
prefix:
secretRef:
name:
optional:
image:
imagePullPolicy:
lifecycle:
postStart:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
preStop:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
livenessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
name:
ports:
- containerPort:
hostIP:
hostPort:
name:
protocol:
readinessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
resources:
limits:
[string]:
requests:
[string]:
securityContext:
allowPrivilegeEscalation:
capabilities:
add:
- [string]:
drop:
- [string]:
privileged:
readOnlyRootFilesystem:
runAsNonRoot:
runAsUser:
seLinuxOptions:
level:
role:
type:
user:
stdin:
stdinOnce:
terminationMessagePath:
terminationMessagePolicy:
tty:
volumeDevices:
- devicePath:
name:
volumeMounts:
- mountPath:
mountPropagation:
name:
readOnly:
subPath:
workingDir:
nodeName:
nodeSelector:
[string]:
priority:
priorityClassName:
restartPolicy:
schedulerName:
securityContext:
fsGroup:
runAsNonRoot:
runAsUser:
seLinuxOptions:
level:
role:
type:
user:
supplementalGroups:
- [integer]:
serviceAccount:
serviceAccountName:
subdomain:
terminationGracePeriodSeconds:
tolerations:
- effect:
key:
operator:
tolerationSeconds:
value:
volumes:
- awsElasticBlockStore:
- fsType:
partition:
readOnly:
volumeID:
azureDisk:
cachingMode:
diskName:
diskURI:
fsType:
kind:
readOnly:
azureFile:
readOnly:
secretName:
shareName:
cephfs:
monitors:
- [string]:
path:
readOnly:
secretFile:
secretRef:
name:
user:
cinder:
fsType:
readOnly:
volumeID:
configMap:
defaultMode:
items:
- key:
mode:
path:
name:
optional:
downwardAPI:
defaultMode:
items:
- fieldRef:
- apiVersion:
fieldPath:
mode:
path:
resourceFieldRef:
containerName:
divisor:
resource:
emptyDir:
medium:
sizeLimit:
fc:
fsType:
lun:
readOnly:
targetWWNs:
- [string]:
wwids:
- [string]:
flexVolume:
driver:
fsType:
options:
[string]:
readOnly:
secretRef:
name:
flocker:
datasetName:
datasetUUID:
gcePersistentDisk:
fsType:
partition:
pdName:
readOnly:
gitRepo:
directory:
repository:
revision:
glusterfs:
endpoints:
path:
readOnly:
hostPath:
path:
type:
iscsi:
chapAuthDiscovery:
chapAuthSession:
fsType:
initiatorName:
iqn:
iscsiInterface:
lun:
portals:
- [string]:
readOnly:
secretRef:
name:
targetPortal:
name:
nfs:
path:
readOnly:
server:
persistentVolumeClaim:
claimName:
readOnly:
photonPersistentDisk:
fsType:
pdID:
portworxVolume:
fsType:
readOnly:
volumeID:
projected:
defaultMode:
sources:
- configMap:
- items:
- - key:
mode:
path:
name:
optional:
downwardAPI:
items:
- fieldRef:
- apiVersion:
fieldPath:
mode:
path:
resourceFieldRef:
containerName:
divisor:
resource:
secret:
items:
- key:
mode:
path:
name:
optional:
quobyte:
group:
readOnly:
registry:
user:
volume:
rbd:
fsType:
image:
keyring:
monitors:
- [string]:
pool:
readOnly:
secretRef:
name:
user:
scaleIO:
fsType:
gateway:
protectionDomain:
readOnly:
secretRef:
name:
sslEnabled:
storageMode:
storagePool:
system:
volumeName:
secret:
defaultMode:
items:
- key:
mode:
path:
optional:
secretName:
storageos:
fsType:
readOnly:
secretRef:
name:
volumeName:
volumeNamespace:
vsphereVolume:
fsType:
storagePolicyID:
storagePolicyName:
volumePath:
status:
allowedServiceAccounts:
- allowedBy:
- apiVersion:
fieldPath:
kind:
name:
namespace:
resourceVersion:
uid:
name:
reason:
template:
metadata:
annotations:
[string]:
clusterName:
creationTimestamp:
deletionGracePeriodSeconds:
deletionTimestamp:
finalizers:
- [string]:
generateName:
generation:
initializers:
pending:
- name:
result:
apiVersion:
code:
details:
causes:
- field:
message:
reason:
group:
kind:
name:
retryAfterSeconds:
uid:
kind:
message:
metadata:
continue:
resourceVersion:
selfLink:
reason:
status:
labels:
[string]:
name:
namespace:
ownerReferences:
- apiVersion:
blockOwnerDeletion:
controller:
kind:
name:
uid:
resourceVersion:
selfLink:
uid:
spec:
activeDeadlineSeconds:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- preference:
- matchExpressions:
- - key:
operator:
values:
- [string]:
weight:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- - key:
operator:
values:
- [string]:
podAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
weight:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
weight:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
- matchExpressions:
- - key:
operator:
values:
- [string]:
matchLabels:
[string]:
namespaces:
- [string]:
topologyKey:
automountServiceAccountToken:
containers:
- args:
- - [string]:
command:
- [string]:
env:
- name:
value:
valueFrom:
configMapKeyRef:
key:
name:
optional:
fieldRef:
apiVersion:
fieldPath:
resourceFieldRef:
containerName:
divisor:
resource:
secretKeyRef:
key:
name:
optional:
envFrom:
- configMapRef:
- name:
optional:
prefix:
secretRef:
name:
optional:
image:
imagePullPolicy:
lifecycle:
postStart:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
preStop:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
livenessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
name:
ports:
- containerPort:
hostIP:
hostPort:
name:
protocol:
readinessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
resources:
limits:
[string]:
requests:
[string]:
securityContext:
allowPrivilegeEscalation:
capabilities:
add:
- [string]:
drop:
- [string]:
privileged:
readOnlyRootFilesystem:
runAsNonRoot:
runAsUser:
seLinuxOptions:
level:
role:
type:
user:
stdin:
stdinOnce:
terminationMessagePath:
terminationMessagePolicy:
tty:
volumeDevices:
- devicePath:
name:
volumeMounts:
- mountPath:
mountPropagation:
name:
readOnly:
subPath:
workingDir:
dnsConfig:
nameservers:
- [string]:
options:
- name:
value:
searches:
- [string]:
dnsPolicy:
hostAliases:
- hostnames:
- - [string]:
ip:
hostIPC:
hostNetwork:
hostPID:
hostname:
imagePullSecrets:
- name:
initContainers:
- args:
- - [string]:
command:
- [string]:
env:
- name:
value:
valueFrom:
configMapKeyRef:
key:
name:
optional:
fieldRef:
apiVersion:
fieldPath:
resourceFieldRef:
containerName:
divisor:
resource:
secretKeyRef:
key:
name:
optional:
envFrom:
- configMapRef:
- name:
optional:
prefix:
secretRef:
name:
optional:
image:
imagePullPolicy:
lifecycle:
postStart:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
preStop:
exec:
command:
- [string]:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
tcpSocket:
host:
port:
livenessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
name:
ports:
- containerPort:
hostIP:
hostPort:
name:
protocol:
readinessProbe:
exec:
command:
- [string]:
failureThreshold:
httpGet:
host:
httpHeaders:
- name:
value:
path:
port:
scheme:
initialDelaySeconds:
periodSeconds:
successThreshold:
tcpSocket:
host:
port:
timeoutSeconds:
resources:
limits:
[string]:
requests:
[string]:
securityContext:
allowPrivilegeEscalation:
capabilities:
add:
- [string]:
drop:
- [string]:
privileged:
readOnlyRootFilesystem:
runAsNonRoot:
runAsUser:
seLinuxOptions:
level:
role:
type:
user:
stdin:
stdinOnce:
terminationMessagePath:
terminationMessagePolicy:
tty:
volumeDevices:
- devicePath:
name:
volumeMounts:
- mountPath:
mountPropagation:
name:
readOnly:
subPath:
workingDir:
nodeName:
nodeSelector:
[string]:
priority:
priorityClassName:
restartPolicy:
schedulerName:
securityContext:
fsGroup:
runAsNonRoot:
runAsUser:
seLinuxOptions:
level:
role:
type:
user:
supplementalGroups:
- [integer]:
serviceAccount:
serviceAccountName:
subdomain:
terminationGracePeriodSeconds:
tolerations:
- effect:
key:
operator:
tolerationSeconds:
value:
volumes:
- awsElasticBlockStore:
- fsType:
partition:
readOnly:
volumeID:
azureDisk:
cachingMode:
diskName:
diskURI:
fsType:
kind:
readOnly:
azureFile:
readOnly:
secretName:
shareName:
cephfs:
monitors:
- [string]:
path:
readOnly:
secretFile:
secretRef:
name:
user:
cinder:
fsType:
readOnly:
volumeID:
configMap:
defaultMode:
items:
- key:
mode:
path:
name:
optional:
downwardAPI:
defaultMode:
items:
- fieldRef:
- apiVersion:
fieldPath:
mode:
path:
resourceFieldRef:
containerName:
divisor:
resource:
emptyDir:
medium:
sizeLimit:
fc:
fsType:
lun:
readOnly:
targetWWNs:
- [string]:
wwids:
- [string]:
flexVolume:
driver:
fsType:
options:
[string]:
readOnly:
secretRef:
name:
flocker:
datasetName:
datasetUUID:
gcePersistentDisk:
fsType:
partition:
pdName:
readOnly:
gitRepo:
directory:
repository:
revision:
glusterfs:
endpoints:
path:
readOnly:
hostPath:
path:
type:
iscsi:
chapAuthDiscovery:
chapAuthSession:
fsType:
initiatorName:
iqn:
iscsiInterface:
lun:
portals:
- [string]:
readOnly:
secretRef:
name:
targetPortal:
name:
nfs:
path:
readOnly:
server:
persistentVolumeClaim:
claimName:
readOnly:
photonPersistentDisk:
fsType:
pdID:
portworxVolume:
fsType:
readOnly:
volumeID:
projected:
defaultMode:
sources:
- configMap:
- items:
- - key:
mode:
path:
name:
optional:
downwardAPI:
items:
- fieldRef:
- apiVersion:
fieldPath:
mode:
path:
resourceFieldRef:
containerName:
divisor:
resource:
secret:
items:
- key:
mode:
path:
name:
optional:
quobyte:
group:
readOnly:
registry:
user:
volume:
rbd:
fsType:
image:
keyring:
monitors:
- [string]:
pool:
readOnly:
secretRef:
name:
user:
scaleIO:
fsType:
gateway:
protectionDomain:
readOnly:
secretRef:
name:
sslEnabled:
storageMode:
storagePool:
system:
volumeName:
secret:
defaultMode:
items:
- key:
mode:
path:
optional:
secretName:
storageos:
fsType:
readOnly:
secretRef:
name:
volumeName:
volumeNamespace:
vsphereVolume:
fsType:
storagePolicyID:
storagePolicyName:
volumePath:

Operations

Create a PodSecurityPolicyReview

Create a PodSecurityPolicyReview

HTTP request

POST /oapi/v1/podsecuritypolicyreviews HTTP/1.1
Authorization: Bearer $TOKEN
Accept: application/json
Connection: close
Content-Type: application/json'

{
  "kind": "PodSecurityPolicyReview",
  "apiVersion": "v1",
  ...
}

Curl request

$ curl -k \
    -X POST \
    -d @- \
    -H "Authorization: Bearer $TOKEN" \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/json' \
    https://$ENDPOINT/oapi/v1/podsecuritypolicyreviews <<'EOF'
{
  "kind": "PodSecurityPolicyReview",
  "apiVersion": "v1",
  ...
}
EOF

HTTP body

Parameter Schema

body

v1.PodSecurityPolicyReview

Query parameters

Parameter Description

pretty

If 'true', then the output is pretty printed.

Responses

HTTP Code Schema

200 OK

v1.PodSecurityPolicyReview

201 Created

v1.PodSecurityPolicyReview

202 Accepted

v1.PodSecurityPolicyReview

401 Unauthorized

Consumes

  • */*

Produces

  • application/json

  • application/yaml

  • application/vnd.kubernetes.protobuf

Create a PodSecurityPolicyReview in a namespace

Create a PodSecurityPolicyReview

HTTP request

POST /oapi/v1/namespaces/$NAMESPACE/podsecuritypolicyreviews HTTP/1.1
Authorization: Bearer $TOKEN
Accept: application/json
Connection: close
Content-Type: application/json'

{
  "kind": "PodSecurityPolicyReview",
  "apiVersion": "v1",
  ...
}

Curl request

$ curl -k \
    -X POST \
    -d @- \
    -H "Authorization: Bearer $TOKEN" \
    -H 'Accept: application/json' \
    -H 'Content-Type: application/json' \
    https://$ENDPOINT/oapi/v1/namespaces/$NAMESPACE/podsecuritypolicyreviews <<'EOF'
{
  "kind": "PodSecurityPolicyReview",
  "apiVersion": "v1",
  ...
}
EOF

HTTP body

Parameter Schema

body

v1.PodSecurityPolicyReview

Path parameters

Parameter Description

namespace

object name and auth scope, such as for teams and projects

Query parameters

Parameter Description

pretty

If 'true', then the output is pretty printed.

Responses

HTTP Code Schema

200 OK

v1.PodSecurityPolicyReview

201 Created

v1.PodSecurityPolicyReview

202 Accepted

v1.PodSecurityPolicyReview

401 Unauthorized

Consumes

  • */*

Produces

  • application/json

  • application/yaml

  • application/vnd.kubernetes.protobuf