summaryrefslogtreecommitdiff
path: root/vendor/k8s.io/api/policy/v1beta1/generated.proto
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/k8s.io/api/policy/v1beta1/generated.proto')
-rw-r--r--vendor/k8s.io/api/policy/v1beta1/generated.proto307
1 files changed, 307 insertions, 0 deletions
diff --git a/vendor/k8s.io/api/policy/v1beta1/generated.proto b/vendor/k8s.io/api/policy/v1beta1/generated.proto
new file mode 100644
index 000000000..514868a9f
--- /dev/null
+++ b/vendor/k8s.io/api/policy/v1beta1/generated.proto
@@ -0,0 +1,307 @@
+/*
+Copyright 2018 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.policy.v1beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
+message AllowedFlexVolume {
+ // Driver is the name of the Flexvolume driver.
+ optional string driver = 1;
+}
+
+// defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+message AllowedHostPath {
+ // is the path prefix that the host volume must match.
+ // It does not support `*`.
+ // Trailing slashes are trimmed when validating the path prefix with a host path.
+ //
+ // Examples:
+ // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+ // `/foo` would not allow `/food` or `/etc/foo`
+ optional string pathPrefix = 1;
+}
+
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod. A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
+message Eviction {
+ // ObjectMeta describes the pod that is being evicted.
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+ // DeleteOptions may be provided
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions deleteOptions = 2;
+}
+
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
+message FSGroupStrategyOptions {
+ // Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+ // +optional
+ optional string rule = 1;
+
+ // Ranges are the allowed ranges of fs groups. If you would like to force a single
+ // fs group then supply a single range with the same start and end.
+ // +optional
+ repeated IDRange ranges = 2;
+}
+
+// Host Port Range defines a range of host ports that will be enabled by a policy
+// for pods to use. It requires both the start and end to be defined.
+message HostPortRange {
+ // min is the start of the range, inclusive.
+ optional int32 min = 1;
+
+ // max is the end of the range, inclusive.
+ optional int32 max = 2;
+}
+
+// ID Range provides a min/max of an allowed range of IDs.
+message IDRange {
+ // Min is the start of the range, inclusive.
+ optional int64 min = 1;
+
+ // Max is the end of the range, inclusive.
+ optional int64 max = 2;
+}
+
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
+message PodDisruptionBudget {
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+ // Specification of the desired behavior of the PodDisruptionBudget.
+ optional PodDisruptionBudgetSpec spec = 2;
+
+ // Most recently observed status of the PodDisruptionBudget.
+ optional PodDisruptionBudgetStatus status = 3;
+}
+
+// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
+message PodDisruptionBudgetList {
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+ repeated PodDisruptionBudget items = 2;
+}
+
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
+message PodDisruptionBudgetSpec {
+ // An eviction is allowed if at least "minAvailable" pods selected by
+ // "selector" will still be available after the eviction, i.e. even in the
+ // absence of the evicted pod. So for example you can prevent all voluntary
+ // evictions by specifying "100%".
+ optional k8s.io.apimachinery.pkg.util.intstr.IntOrString minAvailable = 1;
+
+ // Label query over pods whose evictions are managed by the disruption
+ // budget.
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+ // An eviction is allowed if at most "maxUnavailable" pods selected by
+ // "selector" are unavailable after the eviction, i.e. even in absence of
+ // the evicted pod. For example, one can prevent all voluntary evictions
+ // by specifying 0. This is a mutually exclusive setting with "minAvailable".
+ optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 3;
+}
+
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
+message PodDisruptionBudgetStatus {
+ // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
+ // status informatio is valid only if observedGeneration equals to PDB's object generation.
+ // +optional
+ optional int64 observedGeneration = 1;
+
+ // DisruptedPods contains information about pods whose eviction was
+ // processed by the API server eviction subresource handler but has not
+ // yet been observed by the PodDisruptionBudget controller.
+ // A pod will be in this map from the time when the API server processed the
+ // eviction request to the time when the pod is seen by PDB controller
+ // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+ // and the value is the time when the API server processed the eviction request. If
+ // the deletion didn't occur and a pod is still there it will be removed from
+ // the list automatically by PodDisruptionBudget controller after some time.
+ // If everything goes smooth this map should be empty for the most of the time.
+ // Large number of entries in the map may indicate problems with pod deletions.
+ map<string, k8s.io.apimachinery.pkg.apis.meta.v1.Time> disruptedPods = 2;
+
+ // Number of pod disruptions that are currently allowed.
+ optional int32 disruptionsAllowed = 3;
+
+ // current number of healthy pods
+ optional int32 currentHealthy = 4;
+
+ // minimum desired number of healthy pods
+ optional int32 desiredHealthy = 5;
+
+ // total number of pods counted by this disruption budget
+ optional int32 expectedPods = 6;
+}
+
+// Pod Security Policy governs the ability to make requests that affect the Security Context
+// that will be applied to a pod and container.
+message PodSecurityPolicy {
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ // +optional
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+ // spec defines the policy enforced.
+ // +optional
+ optional PodSecurityPolicySpec spec = 2;
+}
+
+// Pod Security Policy List is a list of PodSecurityPolicy objects.
+message PodSecurityPolicyList {
+ // Standard list metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ // +optional
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+ // Items is a list of schema objects.
+ repeated PodSecurityPolicy items = 2;
+}
+
+// Pod Security Policy Spec defines the policy enforced.
+message PodSecurityPolicySpec {
+ // privileged determines if a pod can request to be run as privileged.
+ // +optional
+ optional bool privileged = 1;
+
+ // DefaultAddCapabilities is the default set of capabilities that will be added to the container
+ // unless the pod spec specifically drops the capability. You may not list a capability in both
+ // DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
+ // allowed, and need not be included in the AllowedCapabilities list.
+ // +optional
+ repeated string defaultAddCapabilities = 2;
+
+ // RequiredDropCapabilities are the capabilities that will be dropped from the container. These
+ // are required to be dropped and cannot be added.
+ // +optional
+ repeated string requiredDropCapabilities = 3;
+
+ // AllowedCapabilities is a list of capabilities that can be requested to add to the container.
+ // Capabilities in this field may be added at the pod author's discretion.
+ // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
+ // +optional
+ repeated string allowedCapabilities = 4;
+
+ // volumes is a white list of allowed volume plugins. Empty indicates that all plugins
+ // may be used.
+ // +optional
+ repeated string volumes = 5;
+
+ // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
+ // +optional
+ optional bool hostNetwork = 6;
+
+ // hostPorts determines which host port ranges are allowed to be exposed.
+ // +optional
+ repeated HostPortRange hostPorts = 7;
+
+ // hostPID determines if the policy allows the use of HostPID in the pod spec.
+ // +optional
+ optional bool hostPID = 8;
+
+ // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
+ // +optional
+ optional bool hostIPC = 9;
+
+ // seLinux is the strategy that will dictate the allowable labels that may be set.
+ optional SELinuxStrategyOptions seLinux = 10;
+
+ // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
+ optional RunAsUserStrategyOptions runAsUser = 11;
+
+ // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+ optional SupplementalGroupsStrategyOptions supplementalGroups = 12;
+
+ // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+ optional FSGroupStrategyOptions fsGroup = 13;
+
+ // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
+ // system. If the container specifically requests to run with a non-read only root file system
+ // the PSP should deny the pod.
+ // If set to false the container may run with a read only root file system if it wishes but it
+ // will not be forced to.
+ // +optional
+ optional bool readOnlyRootFilesystem = 14;
+
+ // DefaultAllowPrivilegeEscalation controls the default setting for whether a
+ // process can gain more privileges than its parent process.
+ // +optional
+ optional bool defaultAllowPrivilegeEscalation = 15;
+
+ // AllowPrivilegeEscalation determines if a pod can request to allow
+ // privilege escalation. If unspecified, defaults to true.
+ // +optional
+ optional bool allowPrivilegeEscalation = 16;
+
+ // is a white list of allowed host paths. Empty indicates that all host paths may be used.
+ // +optional
+ repeated AllowedHostPath allowedHostPaths = 17;
+
+ // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
+ // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
+ // is allowed in the "Volumes" field.
+ // +optional
+ repeated AllowedFlexVolume allowedFlexVolumes = 18;
+}
+
+// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy.
+message RunAsUserStrategyOptions {
+ // Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
+ optional string rule = 1;
+
+ // Ranges are the allowed ranges of uids that may be used.
+ // +optional
+ repeated IDRange ranges = 2;
+}
+
+// SELinux Strategy Options defines the strategy type and any options used to create the strategy.
+message SELinuxStrategyOptions {
+ // type is the strategy that will dictate the allowable labels that may be set.
+ optional string rule = 1;
+
+ // seLinuxOptions required to run as; required for MustRunAs
+ // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ // +optional
+ optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
+}
+
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
+message SupplementalGroupsStrategyOptions {
+ // Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+ // +optional
+ optional string rule = 1;
+
+ // Ranges are the allowed ranges of supplemental groups. If you would like to force a single
+ // supplemental group then supply a single range with the same start and end.
+ // +optional
+ repeated IDRange ranges = 2;
+}
+
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2024-10-12 12:26:29 +0000