@kubernetes-models/fission

import { IObjectMeta } from "@kubernetes-models/apimachinery/apis/meta/v1/ObjectMeta"; import { Model, ModelData } from "@kubernetes-models/base"; /** * Environment is environment for building and running user functions. */ export interface IEnvironment { /** * APIVersion defines the versioned schema of this representation of an object. * Servers should convert recognized schemas to the latest internal value, and * may reject unrecognized values. * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources */ "apiVersion": "fission.io/v1"; /** * Kind is a string value representing the REST resource this object represents. * Servers may infer this from the endpoint the client submits requests to. * Cannot be updated. * In CamelCase. * More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds */ "kind": "Environment"; "metadata": IObjectMeta; /** * EnvironmentSpec contains with builder, runtime and some other related environment settings. */ "spec": { /** * Istio default blocks all egress traffic for safety. * To enable accessibility of external network for builder/function pod, set to 'true'. * (Optional) defaults to 'false' */ "allowAccessToExternalNetwork"?: boolean; /** * (Optional) defaults to 'single'. Fission workflow uses * 'infinite' to load multiple functions in one function pod. * Available value: * - single * - infinite */ "allowedFunctionsPerContainer"?: string; /** * (Optional) Builder is configuration for builder manager to launch environment builder to build source code into * deployable binary. */ "builder"?: { /** * (Optional) Default build command to run for this build environment. */ "command"?: string; /** * (Optional) Container allows the modification of the deployed builder * container using the Kubernetes Container spec. Fission overrides * the following fields: * - Name * - Image; set to the Builder.Image * - Command; set to the Builder.Command * - TerminationMessagePath * - ImagePullPolicy * - ReadinessProbe */ "container"?: { /** * Arguments to the entrypoint. * The container image's CMD is used if this is not provided. * Variable references $(VAR_NAME) are expanded using the container's environment. If a variable * cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will * produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless * of whether the variable exists or not. Cannot be updated. * More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell */ "args"?: Array<string>; /** * Entrypoint array. Not executed within a shell. * The container image's ENTRYPOINT is used if this is not provided. * Variable references $(VAR_NAME) are expanded using the container's environment. If a variable * cannot be resolved, the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. "$$(VAR_NAME)" will * produce the string literal "$(VAR_NAME)". Escaped references will never be expanded, regardless * of whether the variable exists or not. Cannot be updated. * More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell */ "command"?: Array<string>; /** * List of environment variables to set in the container. * Cannot be updated. */ "env"?: Array<{ /** * Name of the environment variable. Must be a C_IDENTIFIER. */ "name": string; /** * Variable references $(VAR_NAME) are expanded * using the previously defined environment variables in the container and * any service environment variables. If a variable cannot be resolved, * the reference in the input string will be unchanged. Double $$ are reduced * to a single $, which allows for escaping the $(VAR_NAME) syntax: i.e. * "$$(VAR_NAME)" will produce the string literal "$(VAR_NAME)". * Escaped references will never be expanded, regardless of whether the variable * exists or not. * Defaults to "". */ "value"?: string; /** * Source for the environment variable's value. Cannot be used if value is not empty. */ "valueFrom"?: { /** * Selects a key of a ConfigMap. */ "configMapKeyRef"?: { /** * The key to select. */ "key": string; /** * Name of the referent. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names * TODO: Add other useful fields. apiVersion, kind, uid? */ "name"?: string; /** * Specify whether the ConfigMap or its key must be defined */ "optional"?: boolean; }; /** * Selects a field of the pod: supports metadata.name, metadata.namespace, `metadata.labels['<KEY>']`, `metadata.annotations['<KEY>']`, * spec.nodeName, spec.serviceAccountName, status.hostIP, status.podIP, status.podIPs. */ "fieldRef"?: { /** * Version of the schema the FieldPath is written in terms of, defaults to "v1". */ "apiVersion"?: string; /** * Path of the field to select in the specified API version. */ "fieldPath": string; }; /** * Selects a resource of the container: only resources limits and requests * (limits.cpu, limits.memory, limits.ephemeral-storage, requests.cpu, requests.memory and requests.ephemeral-storage) are currently supported. */ "resourceFieldRef"?: { /** * Container name: required for volumes, optional for env vars */ "containerName"?: string; /** * Specifies the output format of the exposed resources, defaults to "1" */ "divisor"?: number | string; /** * Required: resource to select */ "resource": string; }; /** * Selects a key of a secret in the pod's namespace */ "secretKeyRef"?: { /** * The key of the secret to select from. Must be a valid secret key. */ "key": string; /** * Name of the referent. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names * TODO: Add other useful fields. apiVersion, kind, uid? */ "name"?: string; /** * Specify whether the Secret or its key must be defined */ "optional"?: boolean; }; }; }>; /** * List of sources to populate environment variables in the container. * The keys defined within a source must be a C_IDENTIFIER. All invalid keys * will be reported as an event when the container is starting. When a key exists in multiple * sources, the value associated with the last source will take precedence. * Values defined by an Env with a duplicate key will take precedence. * Cannot be updated. */ "envFrom"?: Array<{ /** * The ConfigMap to select from */ "configMapRef"?: { /** * Name of the referent. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names * TODO: Add other useful fields. apiVersion, kind, uid? */ "name"?: string; /** * Specify whether the ConfigMap must be defined */ "optional"?: boolean; }; /** * An optional identifier to prepend to each key in the ConfigMap. Must be a C_IDENTIFIER. */ "prefix"?: string; /** * The Secret to select from */ "secretRef"?: { /** * Name of the referent. * More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names * TODO: Add other useful fields. apiVersion, kind, uid? */ "name"?: string; /** * Specify whether the Secret must be defined */ "optional"?: boolean; }; }>; /** * Container image name. * More info: https://kubernetes.io/docs/concepts/containers/images * This field is optional to allow higher level config management to default or override * container images in workload controllers like Deployments and StatefulSets. */ "image"?: string; /** * Image pull policy. * One of Always, Never, IfNotPresent. * Defaults to Always if :latest tag is specified, or IfNotPresent otherwise. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/containers/images#updating-images */ "imagePullPolicy"?: string; /** * Actions that the management system should take in response to container lifecycle events. * Cannot be updated. */ "lifecycle"?: { /** * PostStart is called immediately after a container is created. If the handler fails, * the container is terminated and restarted according to its restart policy. * Other management of the container blocks until the hook completes. * More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks */ "postStart"?: { /** * Exec specifies the action to take. */ "exec"?: { /** * Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ "command"?: Array<string>; }; /** * HTTPGet specifies the http request to perform. */ "httpGet"?: { /** * Host name to connect to, defaults to the pod IP. You probably want to set * "Host" in httpHeaders instead. */ "host"?: string; /** * Custom headers to set in the request. HTTP allows repeated headers. */ "httpHeaders"?: Array<{ /** * The header field name. * This will be canonicalized upon output, so case-variant names will be understood as the same header. */ "name": string; /** * The header field value */ "value": string; }>; /** * Path to access on the HTTP server. */ "path"?: string; /** * Name or number of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; /** * Scheme to use for connecting to the host. * Defaults to HTTP. */ "scheme"?: string; }; /** * Sleep represents the duration that the container should sleep before being terminated. */ "sleep"?: { /** * Seconds is the number of seconds to sleep. */ "seconds": number; }; /** * Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept * for the backward compatibility. There are no validation of this field and * lifecycle hooks will fail in runtime when tcp handler is specified. */ "tcpSocket"?: { /** * Optional: Host name to connect to, defaults to the pod IP. */ "host"?: string; /** * Number or name of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; }; }; /** * PreStop is called immediately before a container is terminated due to an * API request or management event such as liveness/startup probe failure, * preemption, resource contention, etc. The handler is not called if the * container crashes or exits. The Pod's termination grace period countdown begins before the * PreStop hook is executed. Regardless of the outcome of the handler, the * container will eventually terminate within the Pod's termination grace * period (unless delayed by finalizers). Other management of the container blocks until the hook completes * or until the termination grace period is reached. * More info: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/#container-hooks */ "preStop"?: { /** * Exec specifies the action to take. */ "exec"?: { /** * Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ "command"?: Array<string>; }; /** * HTTPGet specifies the http request to perform. */ "httpGet"?: { /** * Host name to connect to, defaults to the pod IP. You probably want to set * "Host" in httpHeaders instead. */ "host"?: string; /** * Custom headers to set in the request. HTTP allows repeated headers. */ "httpHeaders"?: Array<{ /** * The header field name. * This will be canonicalized upon output, so case-variant names will be understood as the same header. */ "name": string; /** * The header field value */ "value": string; }>; /** * Path to access on the HTTP server. */ "path"?: string; /** * Name or number of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; /** * Scheme to use for connecting to the host. * Defaults to HTTP. */ "scheme"?: string; }; /** * Sleep represents the duration that the container should sleep before being terminated. */ "sleep"?: { /** * Seconds is the number of seconds to sleep. */ "seconds": number; }; /** * Deprecated. TCPSocket is NOT supported as a LifecycleHandler and kept * for the backward compatibility. There are no validation of this field and * lifecycle hooks will fail in runtime when tcp handler is specified. */ "tcpSocket"?: { /** * Optional: Host name to connect to, defaults to the pod IP. */ "host"?: string; /** * Number or name of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; }; }; }; /** * Periodic probe of container liveness. * Container will be restarted if the probe fails. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ "livenessProbe"?: { /** * Exec specifies the action to take. */ "exec"?: { /** * Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ "command"?: Array<string>; }; /** * Minimum consecutive failures for the probe to be considered failed after having succeeded. * Defaults to 3. Minimum value is 1. */ "failureThreshold"?: number; /** * GRPC specifies an action involving a GRPC port. */ "grpc"?: { /** * Port number of the gRPC service. Number must be in the range 1 to 65535. */ "port": number; /** * Service is the name of the service to place in the gRPC HealthCheckRequest * (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). * * * If this is not specified, the default behavior is defined by gRPC. */ "service"?: string; }; /** * HTTPGet specifies the http request to perform. */ "httpGet"?: { /** * Host name to connect to, defaults to the pod IP. You probably want to set * "Host" in httpHeaders instead. */ "host"?: string; /** * Custom headers to set in the request. HTTP allows repeated headers. */ "httpHeaders"?: Array<{ /** * The header field name. * This will be canonicalized upon output, so case-variant names will be understood as the same header. */ "name": string; /** * The header field value */ "value": string; }>; /** * Path to access on the HTTP server. */ "path"?: string; /** * Name or number of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; /** * Scheme to use for connecting to the host. * Defaults to HTTP. */ "scheme"?: string; }; /** * Number of seconds after the container has started before liveness probes are initiated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ "initialDelaySeconds"?: number; /** * How often (in seconds) to perform the probe. * Default to 10 seconds. Minimum value is 1. */ "periodSeconds"?: number; /** * Minimum consecutive successes for the probe to be considered successful after having failed. * Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. */ "successThreshold"?: number; /** * TCPSocket specifies an action involving a TCP port. */ "tcpSocket"?: { /** * Optional: Host name to connect to, defaults to the pod IP. */ "host"?: string; /** * Number or name of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; }; /** * Optional duration in seconds the pod needs to terminate gracefully upon probe failure. * The grace period is the duration in seconds after the processes running in the pod are sent * a termination signal and the time when the processes are forcibly halted with a kill signal. * Set this value longer than the expected cleanup time for your process. * If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this * value overrides the value provided by the pod spec. * Value must be non-negative integer. The value zero indicates stop immediately via * the kill signal (no opportunity to shut down). * This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. * Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. */ "terminationGracePeriodSeconds"?: number; /** * Number of seconds after which the probe times out. * Defaults to 1 second. Minimum value is 1. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ "timeoutSeconds"?: number; }; /** * Name of the container specified as a DNS_LABEL. * Each container in a pod must have a unique name (DNS_LABEL). * Cannot be updated. */ "name": string; /** * List of ports to expose from the container. Not specifying a port here * DOES NOT prevent that port from being exposed. Any port which is * listening on the default "0.0.0.0" address inside a container will be * accessible from the network. * Modifying this array with strategic merge patch may corrupt the data. * For more information See https://github.com/kubernetes/kubernetes/issues/108255. * Cannot be updated. */ "ports"?: Array<{ /** * Number of port to expose on the pod's IP address. * This must be a valid port number, 0 < x < 65536. */ "containerPort": number; /** * What host IP to bind the external port to. */ "hostIP"?: string; /** * Number of port to expose on the host. * If specified, this must be a valid port number, 0 < x < 65536. * If HostNetwork is specified, this must match ContainerPort. * Most containers do not need this. */ "hostPort"?: number; /** * If specified, this must be an IANA_SVC_NAME and unique within the pod. Each * named port in a pod must have a unique name. Name for the port that can be * referred to by services. */ "name"?: string; /** * Protocol for port. Must be UDP, TCP, or SCTP. * Defaults to "TCP". */ "protocol"?: string; }>; /** * Periodic probe of container service readiness. * Container will be removed from service endpoints if the probe fails. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ "readinessProbe"?: { /** * Exec specifies the action to take. */ "exec"?: { /** * Command is the command line to execute inside the container, the working directory for the * command is root ('/') in the container's filesystem. The command is simply exec'd, it is * not run inside a shell, so traditional shell instructions ('|', etc) won't work. To use * a shell, you need to explicitly call out to that shell. * Exit status of 0 is treated as live/healthy and non-zero is unhealthy. */ "command"?: Array<string>; }; /** * Minimum consecutive failures for the probe to be considered failed after having succeeded. * Defaults to 3. Minimum value is 1. */ "failureThreshold"?: number; /** * GRPC specifies an action involving a GRPC port. */ "grpc"?: { /** * Port number of the gRPC service. Number must be in the range 1 to 65535. */ "port": number; /** * Service is the name of the service to place in the gRPC HealthCheckRequest * (see https://github.com/grpc/grpc/blob/master/doc/health-checking.md). * * * If this is not specified, the default behavior is defined by gRPC. */ "service"?: string; }; /** * HTTPGet specifies the http request to perform. */ "httpGet"?: { /** * Host name to connect to, defaults to the pod IP. You probably want to set * "Host" in httpHeaders instead. */ "host"?: string; /** * Custom headers to set in the request. HTTP allows repeated headers. */ "httpHeaders"?: Array<{ /** * The header field name. * This will be canonicalized upon output, so case-variant names will be understood as the same header. */ "name": string; /** * The header field value */ "value": string; }>; /** * Path to access on the HTTP server. */ "path"?: string; /** * Name or number of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; /** * Scheme to use for connecting to the host. * Defaults to HTTP. */ "scheme"?: string; }; /** * Number of seconds after the container has started before liveness probes are initiated. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ "initialDelaySeconds"?: number; /** * How often (in seconds) to perform the probe. * Default to 10 seconds. Minimum value is 1. */ "periodSeconds"?: number; /** * Minimum consecutive successes for the probe to be considered successful after having failed. * Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. */ "successThreshold"?: number; /** * TCPSocket specifies an action involving a TCP port. */ "tcpSocket"?: { /** * Optional: Host name to connect to, defaults to the pod IP. */ "host"?: string; /** * Number or name of the port to access on the container. * Number must be in the range 1 to 65535. * Name must be an IANA_SVC_NAME. */ "port": number | string; }; /** * Optional duration in seconds the pod needs to terminate gracefully upon probe failure. * The grace period is the duration in seconds after the processes running in the pod are sent * a termination signal and the time when the processes are forcibly halted with a kill signal. * Set this value longer than the expected cleanup time for your process. * If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this * value overrides the value provided by the pod spec. * Value must be non-negative integer. The value zero indicates stop immediately via * the kill signal (no opportunity to shut down). * This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. * Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. */ "terminationGracePeriodSeconds"?: number; /** * Number of seconds after which the probe times out. * Defaults to 1 second. Minimum value is 1. * More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes */ "timeoutSeconds"?: number; }; /** * Resources resize policy for the container. */ "resizePolicy"?: Array<{ /** * Name of the resource to which this resource resize policy applies. * Supported values: cpu, memory. */ "resourceName": string; /** * Restart policy to apply when specified resource is resized. * If not specified, it defaults to NotRequired. */ "restartPolicy": string; }>; /** * Compute Resources required by this container. * Cannot be updated. * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ */ "resources"?: { /** * Claims lists the names of resources, defined in spec.resourceClaims, * that are used by this container. * * * This is an alpha field and requires enabling the * DynamicResourceAllocation feature gate. * * * This field is immutable. It can only be set for containers. */ "claims"?: Array<{ /** * Name must match the name of one entry in pod.spec.resourceClaims of * the Pod where this field is used. It makes that resource available * inside a container. */ "name": string; }>; /** * Limits describes the maximum amount of compute resources allowed. * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ */ "limits"?: { [key: string]: number | string; }; /** * Requests describes the minimum amount of compute resources required. * If Requests is omitted for a container, it defaults to Limits if that is explicitly specified, * otherwise to an implementation-defined value. Requests cannot exceed Limits. * More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ */ "requests"?: { [key: string]: number | string; }; }; /** * RestartPolicy defines the restart behavior of individual containers in a pod. * This field may only be set for init containers, and the only allowed value is "Always". * For non-init containers or when this field is not specified, * the restart behavior is defined by the Pod's restart policy and the container type. * Setting the RestartPolicy as "Always" for the init container will have the following effect: * this init container will be continually restarted on * exit until all regular containers have terminated. Once all regular * containers have completed, all init containers with restartPolicy "Always" * will be shut down. This lifecycle differs from normal init containers and * is often referred to as a "sidecar" container. Although this init * container still starts in the init container sequence, it does not wait * for the container to complete before proceeding to the next init * container. Instead, the next init container starts immediately after this * init container is started, or after any startupProbe has successfully * completed. */ "restartPolicy"?: string; /** * SecurityContext defines the security options the container should be run with. * If set, the fields of SecurityContext override the equivalent fields of PodSecurityContext. * More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ */ "securityContext"?: { /** * AllowPrivilegeEscalation controls whether a process can gain more * privileges than its parent process. This bool directly controls if * the no_new_privs flag will be set on the container process. * AllowPrivilegeEscalation is true always when the container is: * 1) run as Privileged * 2) has CAP_SYS_ADMIN * Note that this field cannot be set when spec.os.name is windows. */ "allowPrivilegeEscalation"?: boolean; /** * The capabilities to add/drop when running containers. * Defaults to the default set of capabilities granted by the container runtime. * Note that this field cannot be set when spec.os.name is windows. */ "capabilities"?: { /** * Added capabilities */ "add"?: Array<string>; /** * Removed capabilities */ "drop"?: Array<string>; }; /** * Run container in privileged mode. * Processes in privileged containers are essentially equivalent to root on the host. * Defaults to false. * Note that this field cannot be set when spec.os.name is windows. */ "privileged"?: boolean; /** * procMount denotes the type of proc mount to use for the containers. * The default is DefaultProcMount which uses the container runtime defaults for * readonly paths and masked paths. * This requires the ProcMountType feature flag to be enabled. * Note that this field cannot be set when spec.os.name is windows. */ "procMount"?: string; /** * Whether this container has a read-only root filesystem. * Default is false. * Note that this field cannot be set when spec.os.name is windows. */ "readOnlyRootFilesystem"?: boolean; /** * The GID to run the entrypoint of the container process. * Uses runtime default if unset. * May also be set in PodSecurityContext. If set in both SecurityContext and * PodSecurityContext, the value specified in SecurityContext takes precedence. * Note that this field cannot be set when spec.os.name is windows. */ "runAsGroup"?: number; /** * Indicates that the container must run as a non-root user. * If true, the Kubelet will validate the image at runtime to ensure that it * does not run as UID 0 (root) and fail to start the container if it does. * If unset or false, no such validation will be performed. * May also be set in PodSecurityContext. If set in both SecurityContext and * PodSecurityContext, the value specified in SecurityContext takes precedence. */ "runAsNonRoot"?: boolean; /** * The UID to run the entrypoint of the container process. * Defaults to user specified in image metadata if unspecified. * May also be set in PodSecurityContext. If set in both SecurityContext and * PodSecurityContext, the value specified in SecurityContext takes precedence. * Note that this field cannot be set when spec.os.name is windows. */ "runAsUser"?: number; /** * The SELinux context to be applied to the container. * If unspecified, the container runtime will allocate a random SELinux context for each * container. May also be set in PodSecurityContext. If set in both SecurityContext and * PodSecurityContext, the value specified in SecurityContext takes precedence. * Note that this field cannot be set when spec.os.name is windows. */ "seLinuxOptions"?: { /** * Level is SELinux level label that applies to the container. */ "level"?: string; /** * Role is a SELinux role label that applies to the container. */ "role"?: string; /** * Type is a SELinux type label that applies to the container. */ "type"?: string; /** * User is a SELinux user label that applies to the container. */ "user"?: string; }; /** * The seccomp options to use by this container. If seccomp options are * provided at both the pod & container level, the container options * override the pod options. * Note that this field cannot be set when spec.os.name is windows. */ "seccompProfile"?: { /** * localhostProfile indicates a profile defined in a file on the node should be used. * The profile must be preconfigured on the node to work. * Must be a descending path, relative to the kubelet's configured seccomp profile location. * Must be set if type is "Localhost". Must NOT be set for any other type. */ "localhostProfile"?: string; /** * type indicates which kind of seccomp profile will be