- Documentation
- OpenShift Container Platform
- API reference
- security.openshift.io
- About security.openshift.io history bug_report picture_as_pdf
- About
- Release Notes
- Getting Started
- Architecture
- Container Security Guide
- Installing Clusters
- Upgrading Clusters
- Configuring Clusters
- Overview
- Setting up the Registry
- Setting up a Router
- Deploying Red Hat CloudForms
- Prometheus Cluster Monitoring
- Accessing and Configuring the Red Hat Registry
- Master and Node Configuration
- OpenShift Ansible Broker Configuration
- Adding Hosts to an Existing Cluster
- Loading the Default Image Streams and Templates
- Configuring Custom Certificates
- Redeploying Certificates
- Configuring Authentication and User Agent
- Syncing groups with LDAP
- Configuring LDAP failover
- Configuring the SDN
- Configuring Nuage SDN
- Configuring NSX-T SDN
- Configuring Kuryr SDN
- Configuring for AWS
- Configuring for Red Hat Virtualization
- Configuring for OpenStack
- Configuring for Google Compute Engine
- Configuring for Azure
- Configuring for VMware vSphere
- Configuring Local Volumes
- Configuring Persistent Storage
- Overview
- Using NFS
- Using GlusterFS
- Using OpenStack Cinder
- Using Ceph RBD
- Using AWS Elastic Block Store
- Using GCE Persistent Disk
- Using iSCSI
- Using Fibre Channel
- Using Azure Disk
- Using Azure File
- Using FlexVolume
- Using VMware vSphere volumes for persistent storage
- Using Local Volume
- Using Container Storage Interface (CSI)
- Using OpenStack Manila shares
- Dynamic Provisioning and Creating Storage Classes
- Volume Security
- Selector-Label Volume Binding
- Enabling Controller-managed Attachment and Detachment
- Persistent Volume Snapshots
- Using hostPath
- Persistent Storage Examples
- Overview
- Sharing an NFS PV Across Two Pods
- Using Ceph RBD for Persistent Storage
- Using Ceph RBD for dynamic provisioning
- Complete Example Using GlusterFS
- Complete Example Using GlusterFS for Dynamic Provisioning
- Mounting Volumes To Privileged Pods
- Mount Propagation
- Switching an Integrated OpenShift Container Registry to GlusterFS
- Binding Persistent Volumes by Label
- Using StorageClasses for Dynamic Provisioning
- Using StorageClasses for Existing Legacy Storage
- Configuring Azure Blob Storage for Integrated Container Image Registry
- Configuring Ephemeral Storage
- Working with HTTP Proxies
- Configuring Global Build Defaults and Overrides
- Configuring Pipeline Execution
- Configuring Route Timeouts
- Configuring Native Container Routing
- Routing from Edge Load Balancers
- Aggregating Container Logs
- Aggregate Logging Sizing Guidelines
- Enabling Cluster Metrics
- Customizing the Web Console
- Deploying External Persistent Volume Provisioners
- Installing the Operator Framework (Technology Preview)
- Uninstalling Operator Lifecycle Manager
- Day Two Operations Guide
- Cluster Administration
- Overview
- Managing Nodes
- Restoring your cluster
- Replacing a master host
- Managing Users
- Managing Projects
- Managing Pods
- Managing Networking
- Configuring Service Accounts
- Managing Role-based Access Control
- Image Policy
- Image Signatures
- Scoped Tokens
- Monitoring Images
- Managing Security Context Constraints
- Scheduling
- Overview
- Default Scheduling
- Descheduling
- Custom Scheduling
- Controlling Pod Placement
- Pod Priority and Preemption
- Advanced Scheduling
- Advanced Scheduling and Node Affinity
- Advanced Scheduling and Pod Affinity/Anti-affinity
- Advanced Scheduling and Node Selectors
- Advanced Scheduling and Taints and Tolerations
- Setting Quotas
- Setting Multi-Project Quotas
- Pruning objects
- Extending the Kubernetes API with Custom Resources
- Garbage Collection
- Allocating Node Resources
- Overcommitting
- Out of Resource Handling
- Setting Limit Ranges
- Node Problem Detector
- Assigning Unique External IPs for Ingress Traffic
- Monitoring and Debugging Routers
- High Availability
- IPtables
- Securing Builds by Strategy
- Restricting Application Capabilities Using Seccomp
- Sysctls
- Encrypting Data at Datastore Layer
- Encrypting traffic between nodes with IPsec
- Building Dependency Trees
- Replacing a failed etcd member
- Restoring etcd quorum
- Troubleshooting Networking
- Diagnostics Tool
- Idling Applications
- Analyzing Cluster Capacity
- Configuring the cluster auto-scaler in AWS
- Disabling Features using Feature Gates
- Kuryr SDN Administration
- Scaling and Performance Guide
- Overview
- Recommended Installation Practices
- Recommended Host Practices
- Optimizing Compute Resources
- Optimizing Persistent Storage
- Optimizing Ephemeral Storage
- Network Optimization
- Routing Optimization
- Scaling Cluster Metrics
- Scaling Cluster Monitoring
- Tested Maximums per Cluster
- Using Cluster Loader
- Using CPU Manager
- Managing Huge Pages
- Optimizing On GlusterFS Storage
- Developer Guide
- Overview
- Application Life Cycle Management
- Authentication
- Authorization
- Projects
- Migrating Applications
- Tutorials
- Builds
- Deployments
- Templates
- Opening a Remote Shell to Containers
- Service Accounts
- Managing Images
- Quotas and Limit Ranges
- Getting Traffic into a Cluster
- Routes
- Integrating External Services
- Using Device Manager
- Using Device Plug-ins
- Secrets
- ConfigMaps
- Downward API
- Projected Volumes
- Using Daemonsets
- Pod Autoscaling
- Managing Volumes
- Using Persistent Volumes
- Expanding Persistent Volumes
- Executing Remote Commands
- Copying Files
- Port Forwarding
- Shared Memory
- Application Health
- Events
- Managing Environment Variables
- Jobs
- OpenShift Pipeline
- Cron Jobs
- Create from URL
- Creating an object from a custom resource definition
- Application memory sizing
- Application ephemeral storage sizing
- Creating Images
- Using Images
- CLI Reference
- Ansible Playbook Bundle Development Guide
- API reference
- API list
- Common object reference
- core
- About core
- Binding [core/v1]
- ComponentStatus [core/v1]
- ConfigMap [core/v1]
- Endpoints [core/v1]
- Event [core/v1]
- LimitRange [core/v1]
- Namespace [core/v1]
- Node [core/v1]
- PersistentVolumeClaim [core/v1]
- PersistentVolume [core/v1]
- Pod [core/v1]
- PodTemplate [core/v1]
- ReplicationController [core/v1]
- ResourceQuota [core/v1]
- Secret [core/v1]
- ServiceAccount [core/v1]
- Service [core/v1]
- admissionregistration.k8s.io
- apiregistration.k8s.io
- apps
- apps.openshift.io
- authentication.k8s.io
- authorization.k8s.io
- authorization.openshift.io
- About authorization.openshift.io
- ClusterRoleBinding [authorization.openshift.io/v1]
- ClusterRole [authorization.openshift.io/v1]
- LocalResourceAccessReview [authorization.openshift.io/v1]
- LocalSubjectAccessReview [authorization.openshift.io/v1]
- ResourceAccessReview [authorization.openshift.io/v1]
- RoleBindingRestriction [authorization.openshift.io/v1]
- RoleBinding [authorization.openshift.io/v1]
- Role [authorization.openshift.io/v1]
- SelfSubjectRulesReview [authorization.openshift.io/v1]
- SubjectAccessReview [authorization.openshift.io/v1]
- SubjectRulesReview [authorization.openshift.io/v1]
- autoscaling
- batch
- build.openshift.io
- certificates.k8s.io
- events.k8s.io
- image.openshift.io
- network.openshift.io
- networking.k8s.io
- oauth.openshift.io
- policy
- project.openshift.io
- quota.openshift.io
- rbac.authorization.k8s.io
- route.openshift.io
- scheduling.k8s.io
- security.openshift.io
- storage.k8s.io
- template.openshift.io
- user.openshift.io
- CRI-O Runtime
- Container-native Virtualization Install
- Container-native Virtualization User's Guide
- Container-native Virtualization Release Notes
×
security.openshift.io
PodSecurityPolicyReview [security.openshift.io/v1]
- Description
-
PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the
PodTemplateSpecin question. - Type
-
object
PodSecurityPolicySelfSubjectReview [security.openshift.io/v1]
- Description
-
PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
- Type
-
object
PodSecurityPolicySubjectReview [security.openshift.io/v1]
- Description
-
PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
- Type
-
object
RangeAllocation [security.openshift.io/v1]
- Description
-
RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
- Type
-
object
SecurityContextConstraints [security.openshift.io/v1]
- Description
-
SecurityContextConstraints governs the ability to make requests that affect the SecurityContext that will be applied to a container. For historical reasons scc was exposed under the core Kubernetes API group. That exposure is deprecated and will be removed in a future release - users should instead use the security.openshift.io group to manage SecurityContextConstraints.
- Type
-
object