0
# User and Security Operations
1
2
This document covers OpenShift user management, security operations, roles, role bindings, and security context constraints.
3
4
## Core Imports
5
6
```java { .api }
7
import io.fabric8.openshift.client.OpenShiftClient;
8
import io.fabric8.openshift.api.model.User;
9
import io.fabric8.openshift.api.model.UserList;
10
import io.fabric8.openshift.api.model.Group;
11
import io.fabric8.openshift.api.model.GroupList;
12
import io.fabric8.openshift.api.model.Identity;
13
import io.fabric8.openshift.api.model.IdentityList;
14
import io.fabric8.openshift.api.model.UserIdentityMapping;
15
import io.fabric8.openshift.api.model.Role;
16
import io.fabric8.openshift.api.model.RoleList;
17
import io.fabric8.openshift.api.model.RoleBinding;
18
import io.fabric8.openshift.api.model.RoleBindingList;
19
import io.fabric8.openshift.api.model.ClusterRole;
20
import io.fabric8.openshift.api.model.ClusterRoleList;
21
import io.fabric8.openshift.api.model.ClusterRoleBinding;
22
import io.fabric8.openshift.api.model.ClusterRoleBindingList;
23
import io.fabric8.openshift.api.model.RoleBindingRestriction;
24
import io.fabric8.openshift.api.model.RoleBindingRestrictionList;
25
import io.fabric8.openshift.api.model.SecurityContextConstraints;
26
import io.fabric8.openshift.api.model.SecurityContextConstraintsList;
27
import io.fabric8.openshift.api.model.RangeAllocation;
28
import io.fabric8.openshift.api.model.RangeAllocationList;
29
import io.fabric8.kubernetes.client.dsl.Resource;
30
import io.fabric8.kubernetes.client.dsl.MixedOperation;
31
import io.fabric8.kubernetes.client.dsl.NonNamespaceOperation;
32
import io.fabric8.kubernetes.client.dsl.InOutCreateable;
33
```
34
35
## User Operations
36
37
### Basic User Operations
38
39
```java { .api }
40
// List all users in the cluster
41
UserList users = client.users().list();
42
43
// Get a specific user
44
User user = client.users()
45
.withName("john.doe")
46
.get();
47
48
// Get current user (equivalent to 'oc whoami')
49
User currentUser = client.currentUser();
50
String currentUsername = currentUser.getMetadata().getName();
51
52
// Check user details
53
String fullName = user.getFullName();
54
List<String> identities = user.getIdentities();
55
List<String> groups = user.getGroups();
56
```
57
58
### User Information
59
60
```java { .api }
61
// Get user identities and providers
62
User user = client.users()
63
.withName("jane.smith")
64
.get();
65
66
if (user.getIdentities() != null) {
67
for (String identityName : user.getIdentities()) {
68
Identity identity = client.identities()
69
.withName(identityName)
70
.get();
71
72
System.out.println("Identity: " + identity.getProviderName() +
73
":" + identity.getProviderUserName());
74
}
75
}
76
```
77
78
## Group Operations
79
80
### Basic Group Operations
81
82
```java { .api }
83
// List all groups
84
GroupList groups = client.groups().list();
85
86
// Get a specific group
87
Group group = client.groups()
88
.withName("developers")
89
.get();
90
91
// Create a new group
92
Group newGroup = new GroupBuilder()
93
.withNewMetadata()
94
.withName("backend-developers")
95
.endMetadata()
96
.addToUsers("alice", "bob", "charlie")
97
.build();
98
99
Group created = client.groups().create(newGroup);
100
```
101
102
### Group Membership Management
103
104
```java { .api }
105
// Add user to group
106
Group updatedGroup = client.groups()
107
.withName("developers")
108
.edit(group -> new GroupBuilder(group)
109
.addToUsers("new-developer")
110
.build());
111
112
// Remove user from group
113
Group reducedGroup = client.groups()
114
.withName("developers")
115
.edit(group -> new GroupBuilder(group)
116
.removeFromUsers("former-developer")
117
.build());
118
119
// Get group members
120
Group group = client.groups()
121
.withName("developers")
122
.get();
123
124
List<String> members = group.getUsers();
125
System.out.println("Group members: " + String.join(", ", members));
126
```
127
128
## Identity Operations
129
130
### Working with Identities
131
132
```java { .api }
133
// List all identities
134
IdentityList identities = client.identities().list();
135
136
// Get identity by name (format: provider:providerUserName)
137
Identity identity = client.identities()
138
.withName("github:johndoe")
139
.get();
140
141
// Find identities by provider
142
IdentityList githubIdentities = client.identities()
143
.withLabel("provider", "github")
144
.list();
145
146
// Get identity details
147
String providerName = identity.getProviderName();
148
String providerUserName = identity.getProviderUserName();
149
String userName = identity.getUser().getName();
150
```
151
152
### User Identity Mapping
153
154
```java { .api }
155
// Create user identity mapping (links identity to user)
156
UserIdentityMapping mapping = new UserIdentityMappingBuilder()
157
.withNewIdentity()
158
.withName("github:newuser")
159
.endIdentity()
160
.withNewUser()
161
.withName("new.user")
162
.endUser()
163
.build();
164
165
UserIdentityMapping created = client.userIdentityMappings()
166
.create(mapping);
167
```
168
169
## Role Operations
170
171
### Basic Role Operations
172
173
```java { .api }
174
// List roles in a namespace
175
RoleList roles = client.roles()
176
.inNamespace("my-project")
177
.list();
178
179
// Get a specific role
180
Role role = client.roles()
181
.inNamespace("my-project")
182
.withName("developer-role")
183
.get();
184
185
// Create a custom role
186
Role customRole = new RoleBuilder()
187
.withNewMetadata()
188
.withName("custom-developer")
189
.withNamespace("my-project")
190
.endMetadata()
191
.addNewRule()
192
.withApiGroups("", "apps", "extensions")
193
.withResources("pods", "services", "deployments", "replicasets")
194
.withVerbs("get", "list", "watch", "create", "update", "patch", "delete")
195
.endRule()
196
.addNewRule()
197
.withApiGroups("build.openshift.io")
198
.withResources("builds", "buildconfigs")
199
.withVerbs("get", "list", "watch", "create")
200
.endRule()
201
.build();
202
203
Role created = client.roles()
204
.inNamespace("my-project")
205
.create(customRole);
206
```
207
208
### ClusterRole Operations
209
210
```java { .api }
211
// List cluster roles (cluster-wide)
212
ClusterRoleList clusterRoles = client.clusterRoles().list();
213
214
// Get specific cluster role
215
ClusterRole clusterRole = client.clusterRoles()
216
.withName("cluster-admin")
217
.get();
218
219
// Create custom cluster role
220
ClusterRole customClusterRole = new ClusterRoleBuilder()
221
.withNewMetadata()
222
.withName("custom-cluster-viewer")
223
.endMetadata()
224
.addNewRule()
225
.withApiGroups("*")
226
.withResources("*")
227
.withVerbs("get", "list", "watch")
228
.endRule()
229
.addNewRule()
230
.withNonResourceURLs("/metrics", "/healthz")
231
.withVerbs("get")
232
.endRule()
233
.build();
234
235
ClusterRole created = client.clusterRoles().create(customClusterRole);
236
```
237
238
## Role Binding Operations
239
240
### Basic Role Binding Operations
241
242
```java { .api }
243
// List role bindings in a namespace
244
RoleBindingList roleBindings = client.roleBindings()
245
.inNamespace("my-project")
246
.list();
247
248
// Get specific role binding
249
RoleBinding roleBinding = client.roleBindings()
250
.inNamespace("my-project")
251
.withName("developers-binding")
252
.get();
253
254
// Create role binding for user
255
RoleBinding userBinding = new RoleBindingBuilder()
256
.withNewMetadata()
257
.withName("developer-john")
258
.withNamespace("my-project")
259
.endMetadata()
260
.withNewRoleRef()
261
.withApiGroup("rbac.authorization.k8s.io")
262
.withKind("Role")
263
.withName("developer-role")
264
.endRoleRef()
265
.addNewSubject()
266
.withKind("User")
267
.withName("john.doe")
268
.withApiGroup("rbac.authorization.k8s.io")
269
.endSubject()
270
.build();
271
272
RoleBinding created = client.roleBindings()
273
.inNamespace("my-project")
274
.create(userBinding);
275
```
276
277
### Group Role Bindings
278
279
```java { .api }
280
// Create role binding for group
281
RoleBinding groupBinding = new RoleBindingBuilder()
282
.withNewMetadata()
283
.withName("developers-group-binding")
284
.withNamespace("my-project")
285
.endMetadata()
286
.withNewRoleRef()
287
.withApiGroup("rbac.authorization.k8s.io")
288
.withKind("ClusterRole")
289
.withName("edit")
290
.endRoleRef()
291
.addNewSubject()
292
.withKind("Group")
293
.withName("developers")
294
.withApiGroup("rbac.authorization.k8s.io")
295
.endSubject()
296
.build();
297
298
RoleBinding created = client.roleBindings()
299
.inNamespace("my-project")
300
.create(groupBinding);
301
```
302
303
### ClusterRoleBinding Operations
304
305
```java { .api }
306
// List cluster role bindings
307
ClusterRoleBindingList clusterRoleBindings = client.clusterRoleBindings().list();
308
309
// Create cluster role binding
310
ClusterRoleBinding clusterBinding = new ClusterRoleBindingBuilder()
311
.withNewMetadata()
312
.withName("cluster-admins")
313
.endMetadata()
314
.withNewRoleRef()
315
.withApiGroup("rbac.authorization.k8s.io")
316
.withKind("ClusterRole")
317
.withName("cluster-admin")
318
.endRoleRef()
319
.addNewSubject()
320
.withKind("User")
321
.withName("admin-user")
322
.withApiGroup("rbac.authorization.k8s.io")
323
.endSubject()
324
.addNewSubject()
325
.withKind("Group")
326
.withName("cluster-admins")
327
.withApiGroup("rbac.authorization.k8s.io")
328
.endSubject()
329
.build();
330
331
ClusterRoleBinding created = client.clusterRoleBindings().create(clusterBinding);
332
```
333
334
## Role Binding Restrictions
335
336
### Managing Role Binding Restrictions
337
338
```java { .api }
339
// List role binding restrictions
340
RoleBindingRestrictionList restrictions = client.roleBindingRestrictions()
341
.inNamespace("my-project")
342
.list();
343
344
// Create role binding restriction
345
RoleBindingRestriction restriction = new RoleBindingRestrictionBuilder()
346
.withNewMetadata()
347
.withName("no-admin-bindings")
348
.withNamespace("my-project")
349
.endMetadata()
350
.withNewSpec()
351
.addNewRoleBindingRestriction()
352
.addToRoles("admin", "cluster-admin")
353
.endRoleBindingRestriction()
354
.addNewUserRestriction()
355
.addToUsers("restricted-user")
356
.endUserRestriction()
357
.endSpec()
358
.build();
359
360
RoleBindingRestriction created = client.roleBindingRestrictions()
361
.inNamespace("my-project")
362
.create(restriction);
363
```
364
365
## Security Context Constraints
366
367
### Basic SCC Operations
368
369
```java { .api }
370
// List all security context constraints
371
SecurityContextConstraintsList sccs = client.securityContextConstraints().list();
372
373
// Get specific SCC
374
SecurityContextConstraints scc = client.securityContextConstraints()
375
.withName("restricted")
376
.get();
377
378
// Get SCC details
379
Boolean allowHostDirVolumePlugin = scc.getAllowHostDirVolumePlugin();
380
Boolean allowHostNetwork = scc.getAllowHostNetwork();
381
Boolean allowHostPorts = scc.getAllowHostPorts();
382
Boolean allowPrivilegedContainer = scc.getAllowPrivilegedContainer();
383
Boolean readOnlyRootFilesystem = scc.getReadOnlyRootFilesystem();
384
```
385
386
### Creating Custom SCCs
387
388
```java { .api }
389
// Create custom security context constraint
390
SecurityContextConstraints customSCC = new SecurityContextConstraintsBuilder()
391
.withNewMetadata()
392
.withName("custom-scc")
393
.endMetadata()
394
.withAllowHostDirVolumePlugin(false)
395
.withAllowHostIPC(false)
396
.withAllowHostNetwork(false)
397
.withAllowHostPID(false)
398
.withAllowHostPorts(false)
399
.withAllowPrivilegedContainer(false)
400
.withAllowedCapabilities() // No additional capabilities
401
.withDefaultAddCapabilities() // No default capabilities
402
.withRequiredDropCapabilities("ALL")
403
.withAllowedFlexVolumes() // No flex volumes
404
.withReadOnlyRootFilesystem(true)
405
.withNewRunAsUser()
406
.withType("MustRunAsRange")
407
.endRunAsUser()
408
.withNewSeLinuxContext()
409
.withType("MustRunAs")
410
.endSeLinuxContext()
411
.withNewFsGroup()
412
.withType("MustRunAs")
413
.endFsGroup()
414
.withUsers("system:serviceaccount:my-project:restricted-sa")
415
.build();
416
417
SecurityContextConstraints created = client.securityContextConstraints()
418
.create(customSCC);
419
```
420
421
### SCC User and Group Management
422
423
```java { .api }
424
// Add user to SCC
425
SecurityContextConstraints updated = client.securityContextConstraints()
426
.withName("anyuid")
427
.edit(scc -> new SecurityContextConstraintsBuilder(scc)
428
.addToUsers("system:serviceaccount:my-project:privileged-sa")
429
.build());
430
431
// Add group to SCC
432
SecurityContextConstraints groupUpdated = client.securityContextConstraints()
433
.withName("privileged")
434
.edit(scc -> new SecurityContextConstraintsBuilder(scc)
435
.addToGroups("system:authenticated")
436
.build());
437
```
438
439
## Range Allocation Operations
440
441
### Managing Range Allocations
442
443
```java { .api }
444
// List range allocations (UID/GID ranges)
445
RangeAllocationList rangeAllocations = client.rangeAllocations().list();
446
447
// Get specific range allocation
448
RangeAllocation uidRange = client.rangeAllocations()
449
.withName("uid-range")
450
.get();
451
452
// Range allocation details
453
String range = uidRange.getRange(); // e.g., "1000000000-1000999999/10000"
454
byte[] data = uidRange.getData(); // Allocation bitmap
455
```
456
457
## Advanced Security Operations
458
459
### Security Monitoring and Auditing
460
461
```java { .api }
462
// Monitor role binding changes
463
client.roleBindings()
464
.inAnyNamespace()
465
.watch(new Watcher<RoleBinding>() {
466
@Override
467
public void eventReceived(Action action, RoleBinding roleBinding) {
468
System.out.println("RoleBinding " + action + ": " +
469
roleBinding.getMetadata().getName() +
470
" in namespace " + roleBinding.getMetadata().getNamespace());
471
472
// Log subjects
473
roleBinding.getSubjects().forEach(subject ->
474
System.out.println(" Subject: " + subject.getKind() +
475
"/" + subject.getName()));
476
}
477
478
@Override
479
public void onClose(WatcherException cause) {
480
System.out.println("RoleBinding watch closed: " + cause.getMessage());
481
}
482
});
483
484
// Monitor user changes
485
client.users().watch(new Watcher<User>() {
486
@Override
487
public void eventReceived(Action action, User user) {
488
System.out.println("User " + action + ": " + user.getMetadata().getName());
489
490
if (user.getGroups() != null) {
491
System.out.println(" Groups: " + String.join(", ", user.getGroups()));
492
}
493
}
494
495
@Override
496
public void onClose(WatcherException cause) {
497
System.out.println("User watch closed: " + cause.getMessage());
498
}
499
});
500
```
501
502
## Usage Examples
503
504
### Complete User Management Example
505
506
```java
507
import io.fabric8.openshift.client.OpenShiftClient;
508
import io.fabric8.openshift.api.model.*;
509
import io.fabric8.kubernetes.api.model.rbac.*;
510
511
public class UserSecurityManager {
512
private final OpenShiftClient client;
513
514
public UserSecurityManager(OpenShiftClient client) {
515
this.client = client;
516
}
517
518
public void setupUserAccess(String username, String namespace,
519
String role, List<String> groups) {
520
// 1. Verify user exists
521
User user = client.users().withName(username).get();
522
if (user == null) {
523
System.out.println("Warning: User " + username + " not found in system");
524
return;
525
}
526
527
// 2. Add user to groups if specified
528
if (groups != null && !groups.isEmpty()) {
529
addUserToGroups(username, groups);
530
}
531
532
// 3. Create role binding for user in namespace
533
createUserRoleBinding(username, namespace, role);
534
535
// 4. Verify access
536
verifyUserAccess(username, namespace);
537
538
System.out.println("User access setup completed for: " + username);
539
}
540
541
private void addUserToGroups(String username, List<String> groups) {
542
for (String groupName : groups) {
543
Group group = client.groups().withName(groupName).get();
544
545
if (group == null) {
546
// Create group if it doesn't exist
547
group = client.groups().create(new GroupBuilder()
548
.withNewMetadata()
549
.withName(groupName)
550
.endMetadata()
551
.addToUsers(username)
552
.build());
553
System.out.println("Created group: " + groupName);
554
} else {
555
// Add user to existing group
556
if (!group.getUsers().contains(username)) {
557
client.groups().withName(groupName)
558
.edit(g -> new GroupBuilder(g)
559
.addToUsers(username)
560
.build());
561
System.out.println("Added " + username + " to group: " + groupName);
562
}
563
}
564
}
565
}
566
567
private void createUserRoleBinding(String username, String namespace, String role) {
568
String bindingName = username + "-" + role + "-binding";
569
570
RoleBinding binding = new RoleBindingBuilder()
571
.withNewMetadata()
572
.withName(bindingName)
573
.withNamespace(namespace)
574
.endMetadata()
575
.withNewRoleRef()
576
.withApiGroup("rbac.authorization.k8s.io")
577
.withKind("ClusterRole") // Assume cluster role
578
.withName(role)
579
.endRoleRef()
580
.addNewSubject()
581
.withKind("User")
582
.withName(username)
583
.withApiGroup("rbac.authorization.k8s.io")
584
.endSubject()
585
.build();
586
587
client.roleBindings()
588
.inNamespace(namespace)
589
.createOrReplace(binding);
590
591
System.out.println("Created role binding: " + bindingName);
592
}
593
594
private void verifyUserAccess(String username, String namespace) {
595
// Get all role bindings that include this user
596
RoleBindingList roleBindings = client.roleBindings()
597
.inNamespace(namespace)
598
.list();
599
600
List<String> userRoles = new ArrayList<>();
601
602
for (RoleBinding binding : roleBindings.getItems()) {
603
boolean hasUser = binding.getSubjects().stream()
604
.anyMatch(subject ->
605
"User".equals(subject.getKind()) &&
606
username.equals(subject.getName()));
607
608
if (hasUser) {
609
userRoles.add(binding.getRoleRef().getName());
610
}
611
}
612
613
System.out.println("User " + username + " has roles in " + namespace +
614
": " + String.join(", ", userRoles));
615
}
616
617
public void auditSecurityPolicies(String namespace) {
618
System.out.println("Security audit for namespace: " + namespace);
619
620
// Audit role bindings
621
RoleBindingList roleBindings = client.roleBindings()
622
.inNamespace(namespace)
623
.list();
624
625
System.out.println("\nRole Bindings:");
626
for (RoleBinding binding : roleBindings.getItems()) {
627
System.out.println(" " + binding.getMetadata().getName() +
628
" -> " + binding.getRoleRef().getName());
629
630
binding.getSubjects().forEach(subject ->
631
System.out.println(" " + subject.getKind() + ": " + subject.getName()));
632
}
633
634
// Audit security context constraints usage
635
SecurityContextConstraintsList sccs = client.securityContextConstraints().list();
636
637
System.out.println("\nSecurity Context Constraints with namespace access:");
638
for (SecurityContextConstraints scc : sccs.getItems()) {
639
boolean hasNamespaceAccess = false;
640
641
if (scc.getUsers() != null) {
642
hasNamespaceAccess = scc.getUsers().stream()
643
.anyMatch(user -> user.contains(namespace));
644
}
645
646
if (hasNamespaceAccess) {
647
System.out.println(" " + scc.getMetadata().getName() +
648
" (privileged: " + scc.getAllowPrivilegedContainer() + ")");
649
}
650
}
651
}
652
}
653
```
654
655
### Service Account Security Setup
656
657
```java
658
public class ServiceAccountSecurity {
659
private final OpenShiftClient client;
660
661
public ServiceAccountSecurity(OpenShiftClient client) {
662
this.client = client;
663
}
664
665
public void setupServiceAccountSecurity(String namespace, String saName,
666
String sccName, List<String> roles) {
667
// 1. Create service account
668
ServiceAccount sa = new ServiceAccountBuilder()
669
.withNewMetadata()
670
.withName(saName)
671
.withNamespace(namespace)
672
.endMetadata()
673
.build();
674
675
client.serviceAccounts()
676
.inNamespace(namespace)
677
.createOrReplace(sa);
678
679
// 2. Add service account to SCC
680
String saFullName = "system:serviceaccount:" + namespace + ":" + saName;
681
682
client.securityContextConstraints()
683
.withName(sccName)
684
.edit(scc -> new SecurityContextConstraintsBuilder(scc)
685
.addToUsers(saFullName)
686
.build());
687
688
// 3. Create role bindings for service account
689
for (String role : roles) {
690
RoleBinding saBinding = new RoleBindingBuilder()
691
.withNewMetadata()
692
.withName(saName + "-" + role + "-binding")
693
.withNamespace(namespace)
694
.endMetadata()
695
.withNewRoleRef()
696
.withApiGroup("rbac.authorization.k8s.io")
697
.withKind("ClusterRole")
698
.withName(role)
699
.endRoleRef()
700
.addNewSubject()
701
.withKind("ServiceAccount")
702
.withName(saName)
703
.withNamespace(namespace)
704
.endSubject()
705
.build();
706
707
client.roleBindings()
708
.inNamespace(namespace)
709
.createOrReplace(saBinding);
710
}
711
712
System.out.println("Service account security setup completed: " + saName);
713
}
714
}
715
```
716
717
## Types
718
719
### User
720
721
```java { .api }
722
public class User implements HasMetadata {
723
public ObjectMeta getMetadata();
724
public String getFullName();
725
public List<String> getIdentities();
726
public List<String> getGroups();
727
}
728
```
729
730
### Group
731
732
```java { .api }
733
public class Group implements HasMetadata {
734
public ObjectMeta getMetadata();
735
public List<String> getUsers();
736
}
737
```
738
739
### Identity
740
741
```java { .api }
742
public class Identity implements HasMetadata {
743
public ObjectMeta getMetadata();
744
public String getProviderName();
745
public String getProviderUserName();
746
public ObjectReference getUser();
747
public Object getExtra();
748
}
749
```
750
751
### Role and ClusterRole
752
753
```java { .api }
754
public class Role implements HasMetadata {
755
public ObjectMeta getMetadata();
756
public List<PolicyRule> getRules();
757
}
758
759
public class ClusterRole implements HasMetadata {
760
public ObjectMeta getMetadata();
761
public List<PolicyRule> getRules();
762
public AggregationRule getAggregationRule();
763
}
764
765
public class PolicyRule {
766
public List<String> getApiGroups();
767
public List<String> getResources();
768
public List<String> getResourceNames();
769
public List<String> getVerbs();
770
public List<String> getNonResourceURLs();
771
}
772
```
773
774
### RoleBinding and ClusterRoleBinding
775
776
```java { .api }
777
public class RoleBinding implements HasMetadata {
778
public ObjectMeta getMetadata();
779
public RoleRef getRoleRef();
780
public List<Subject> getSubjects();
781
}
782
783
public class ClusterRoleBinding implements HasMetadata {
784
public ObjectMeta getMetadata();
785
public RoleRef getRoleRef();
786
public List<Subject> getSubjects();
787
}
788
789
public class RoleRef {
790
public String getApiGroup();
791
public String getKind();
792
public String getName();
793
}
794
795
public class Subject {
796
public String getApiGroup();
797
public String getKind(); // User, Group, ServiceAccount
798
public String getName();
799
public String getNamespace();
800
}
801
```
802
803
### SecurityContextConstraints
804
805
```java { .api }
806
public class SecurityContextConstraints implements HasMetadata {
807
public ObjectMeta getMetadata();
808
public Boolean getAllowHostDirVolumePlugin();
809
public Boolean getAllowHostIPC();
810
public Boolean getAllowHostNetwork();
811
public Boolean getAllowHostPID();
812
public Boolean getAllowHostPorts();
813
public Boolean getAllowPrivilegedContainer();
814
public List<String> getAllowedCapabilities();
815
public List<String> getDefaultAddCapabilities();
816
public List<String> getRequiredDropCapabilities();
817
public List<AllowedFlexVolume> getAllowedFlexVolumes();
818
public Boolean getReadOnlyRootFilesystem();
819
public RunAsUserStrategyOptions getRunAsUser();
820
public SELinuxContextStrategyOptions getSeLinuxContext();
821
public FSGroupStrategyOptions getFsGroup();
822
public List<String> getUsers();
823
public List<String> getGroups();
824
public Integer getPriority();
825
}
826
```