2 Copyright 2016 The Kubernetes Authors.
4 Licensed under the Apache License, Version 2.0 (the "License");
5 you may not use this file except in compliance with the License.
6 You may obtain a copy of the License at
8 http://www.apache.org/licenses/LICENSE-2.0
10 Unless required by applicable law or agreed to in writing, software
11 distributed under the License is distributed on an "AS IS" BASIS,
12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 See the License for the specific language governing permissions and
14 limitations under the License.
21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
22 "k8s.io/apimachinery/pkg/util/intstr"
25 // PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
26 type PodDisruptionBudgetSpec struct {
27 // An eviction is allowed if at least "minAvailable" pods selected by
28 // "selector" will still be available after the eviction, i.e. even in the
29 // absence of the evicted pod. So for example you can prevent all voluntary
30 // evictions by specifying "100%".
32 MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"`
34 // Label query over pods whose evictions are managed by the disruption
37 Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"`
39 // An eviction is allowed if at most "maxUnavailable" pods selected by
40 // "selector" are unavailable after the eviction, i.e. even in absence of
41 // the evicted pod. For example, one can prevent all voluntary evictions
42 // by specifying 0. This is a mutually exclusive setting with "minAvailable".
44 MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"`
47 // PodDisruptionBudgetStatus represents information about the status of a
48 // PodDisruptionBudget. Status may trail the actual state of a system.
49 type PodDisruptionBudgetStatus struct {
50 // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
51 // status informatio is valid only if observedGeneration equals to PDB's object generation.
53 ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"`
55 // DisruptedPods contains information about pods whose eviction was
56 // processed by the API server eviction subresource handler but has not
57 // yet been observed by the PodDisruptionBudget controller.
58 // A pod will be in this map from the time when the API server processed the
59 // eviction request to the time when the pod is seen by PDB controller
60 // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
61 // and the value is the time when the API server processed the eviction request. If
62 // the deletion didn't occur and a pod is still there it will be removed from
63 // the list automatically by PodDisruptionBudget controller after some time.
64 // If everything goes smooth this map should be empty for the most of the time.
65 // Large number of entries in the map may indicate problems with pod deletions.
67 DisruptedPods map[string]metav1.Time `json:"disruptedPods,omitempty" protobuf:"bytes,2,rep,name=disruptedPods"`
69 // Number of pod disruptions that are currently allowed.
70 PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"`
72 // current number of healthy pods
73 CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"`
75 // minimum desired number of healthy pods
76 DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"`
78 // total number of pods counted by this disruption budget
79 ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"`
83 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
85 // PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
86 type PodDisruptionBudget struct {
87 metav1.TypeMeta `json:",inline"`
89 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
91 // Specification of the desired behavior of the PodDisruptionBudget.
93 Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
94 // Most recently observed status of the PodDisruptionBudget.
96 Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"`
99 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
101 // PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
102 type PodDisruptionBudgetList struct {
103 metav1.TypeMeta `json:",inline"`
105 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
106 Items []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"`
110 // +genclient:noVerbs
111 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
113 // Eviction evicts a pod from its node subject to certain policies and safety constraints.
114 // This is a subresource of Pod. A request to cause such an eviction is
115 // created by POSTing to .../pods/<pod name>/evictions.
116 type Eviction struct {
117 metav1.TypeMeta `json:",inline"`
119 // ObjectMeta describes the pod that is being evicted.
121 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
123 // DeleteOptions may be provided
125 DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"`
129 // +genclient:nonNamespaced
130 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
132 // PodSecurityPolicy governs the ability to make requests that affect the Security Context
133 // that will be applied to a pod and container.
134 type PodSecurityPolicy struct {
135 metav1.TypeMeta `json:",inline"`
136 // Standard object's metadata.
137 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
139 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
141 // spec defines the policy enforced.
143 Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
146 // PodSecurityPolicySpec defines the policy enforced.
147 type PodSecurityPolicySpec struct {
148 // privileged determines if a pod can request to be run as privileged.
150 Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"`
151 // defaultAddCapabilities is the default set of capabilities that will be added to the container
152 // unless the pod spec specifically drops the capability. You may not list a capability in both
153 // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly
154 // allowed, and need not be included in the allowedCapabilities list.
156 DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"`
157 // requiredDropCapabilities are the capabilities that will be dropped from the container. These
158 // are required to be dropped and cannot be added.
160 RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"`
161 // allowedCapabilities is a list of capabilities that can be requested to add to the container.
162 // Capabilities in this field may be added at the pod author's discretion.
163 // You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
165 AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"`
166 // volumes is a white list of allowed volume plugins. Empty indicates that
167 // no volumes may be used. To allow all volumes you may use '*'.
169 Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"`
170 // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
172 HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"`
173 // hostPorts determines which host port ranges are allowed to be exposed.
175 HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"`
176 // hostPID determines if the policy allows the use of HostPID in the pod spec.
178 HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"`
179 // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
181 HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"`
182 // seLinux is the strategy that will dictate the allowable labels that may be set.
183 SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"`
184 // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
185 RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"`
186 // RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
187 // If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
188 // RunAsGroup feature gate to be enabled.
190 RunAsGroup *RunAsGroupStrategyOptions `json:"runAsGroup,omitempty" protobuf:"bytes,22,opt,name=runAsGroup"`
191 // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
192 SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"`
193 // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
194 FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"`
195 // readOnlyRootFilesystem when set to true will force containers to run with a read only root file
196 // system. If the container specifically requests to run with a non-read only root file system
197 // the PSP should deny the pod.
198 // If set to false the container may run with a read only root file system if it wishes but it
199 // will not be forced to.
201 ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"`
202 // defaultAllowPrivilegeEscalation controls the default setting for whether a
203 // process can gain more privileges than its parent process.
205 DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"`
206 // allowPrivilegeEscalation determines if a pod can request to allow
207 // privilege escalation. If unspecified, defaults to true.
209 AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"`
210 // allowedHostPaths is a white list of allowed host paths. Empty indicates
211 // that all host paths may be used.
213 AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"`
214 // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
215 // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
216 // is allowed in the "volumes" field.
218 AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"`
219 // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
220 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
221 // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
222 // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
225 // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
226 // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
228 AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"`
229 // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
230 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
231 // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
234 // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
235 // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
237 ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"`
238 // AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
239 // Empty or nil indicates that only the DefaultProcMountType may be used.
240 // This requires the ProcMountType feature flag to be enabled.
242 AllowedProcMountTypes []v1.ProcMountType `json:"allowedProcMountTypes,omitempty" protobuf:"bytes,21,opt,name=allowedProcMountTypes"`
245 // AllowedHostPath defines the host volume conditions that will be enabled by a policy
246 // for pods to use. It requires the path prefix to be defined.
247 type AllowedHostPath struct {
248 // pathPrefix is the path prefix that the host volume must match.
249 // It does not support `*`.
250 // Trailing slashes are trimmed when validating the path prefix with a host path.
253 // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
254 // `/foo` would not allow `/food` or `/etc/foo`
255 PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"`
257 // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
259 ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"`
262 // AllowAllCapabilities can be used as a value for the PodSecurityPolicy.AllowAllCapabilities
263 // field and means that any capabilities are allowed to be requested.
264 var AllowAllCapabilities v1.Capability = "*"
266 // FSType gives strong typing to different file systems that are used by volumes.
270 AzureFile FSType = "azureFile"
271 Flocker FSType = "flocker"
272 FlexVolume FSType = "flexVolume"
273 HostPath FSType = "hostPath"
274 EmptyDir FSType = "emptyDir"
275 GCEPersistentDisk FSType = "gcePersistentDisk"
276 AWSElasticBlockStore FSType = "awsElasticBlockStore"
277 GitRepo FSType = "gitRepo"
278 Secret FSType = "secret"
280 ISCSI FSType = "iscsi"
281 Glusterfs FSType = "glusterfs"
282 PersistentVolumeClaim FSType = "persistentVolumeClaim"
284 Cinder FSType = "cinder"
285 CephFS FSType = "cephFS"
286 DownwardAPI FSType = "downwardAPI"
288 ConfigMap FSType = "configMap"
289 VsphereVolume FSType = "vsphereVolume"
290 Quobyte FSType = "quobyte"
291 AzureDisk FSType = "azureDisk"
292 PhotonPersistentDisk FSType = "photonPersistentDisk"
293 StorageOS FSType = "storageos"
294 Projected FSType = "projected"
295 PortworxVolume FSType = "portworxVolume"
296 ScaleIO FSType = "scaleIO"
301 // AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
302 type AllowedFlexVolume struct {
303 // driver is the name of the Flexvolume driver.
304 Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"`
307 // HostPortRange defines a range of host ports that will be enabled by a policy
308 // for pods to use. It requires both the start and end to be defined.
309 type HostPortRange struct {
310 // min is the start of the range, inclusive.
311 Min int32 `json:"min" protobuf:"varint,1,opt,name=min"`
312 // max is the end of the range, inclusive.
313 Max int32 `json:"max" protobuf:"varint,2,opt,name=max"`
316 // SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
317 type SELinuxStrategyOptions struct {
318 // rule is the strategy that will dictate the allowable labels that may be set.
319 Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"`
320 // seLinuxOptions required to run as; required for MustRunAs
321 // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
323 SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"`
326 // SELinuxStrategy denotes strategy types for generating SELinux options for a
328 type SELinuxStrategy string
331 // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
332 SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs"
333 // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
334 SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny"
337 // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
338 type RunAsUserStrategyOptions struct {
339 // rule is the strategy that will dictate the allowable RunAsUser values that may be set.
340 Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"`
341 // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
342 // then supply a single range with the same start and end. Required for MustRunAs.
344 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
347 // RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.
348 type RunAsGroupStrategyOptions struct {
349 // rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
350 Rule RunAsGroupStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsGroupStrategy"`
351 // ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
352 // then supply a single range with the same start and end. Required for MustRunAs.
354 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
357 // IDRange provides a min/max of an allowed range of IDs.
358 type IDRange struct {
359 // min is the start of the range, inclusive.
360 Min int64 `json:"min" protobuf:"varint,1,opt,name=min"`
361 // max is the end of the range, inclusive.
362 Max int64 `json:"max" protobuf:"varint,2,opt,name=max"`
365 // RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
367 type RunAsUserStrategy string
370 // RunAsUserStrategyMustRunAs means that container must run as a particular uid.
371 RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs"
372 // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid.
373 RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot"
374 // RunAsUserStrategyRunAsAny means that container may make requests for any uid.
375 RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny"
378 // RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a
380 type RunAsGroupStrategy string
383 // RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid.
384 // However, when RunAsGroup are specified, they have to fall in the defined range.
385 RunAsGroupStrategyMayRunAs RunAsGroupStrategy = "MayRunAs"
386 // RunAsGroupStrategyMustRunAs means that container must run as a particular gid.
387 RunAsGroupStrategyMustRunAs RunAsGroupStrategy = "MustRunAs"
388 // RunAsUserStrategyRunAsAny means that container may make requests for any gid.
389 RunAsGroupStrategyRunAsAny RunAsGroupStrategy = "RunAsAny"
392 // FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
393 type FSGroupStrategyOptions struct {
394 // rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
396 Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"`
397 // ranges are the allowed ranges of fs groups. If you would like to force a single
398 // fs group then supply a single range with the same start and end. Required for MustRunAs.
400 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
403 // FSGroupStrategyType denotes strategy types for generating FSGroup values for a
405 type FSGroupStrategyType string
408 // FSGroupStrategyMayRunAs means that container does not need to have FSGroup of X applied.
409 // However, when FSGroups are specified, they have to fall in the defined range.
410 FSGroupStrategyMayRunAs FSGroupStrategyType = "MayRunAs"
411 // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied.
412 FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs"
413 // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
414 FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny"
417 // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
418 type SupplementalGroupsStrategyOptions struct {
419 // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
421 Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"`
422 // ranges are the allowed ranges of supplemental groups. If you would like to force a single
423 // supplemental group then supply a single range with the same start and end. Required for MustRunAs.
425 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"`
428 // SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
429 // groups for a SecurityContext.
430 type SupplementalGroupsStrategyType string
433 // SupplementalGroupsStrategyMayRunAs means that container does not need to run with a particular gid.
434 // However, when gids are specified, they have to fall in the defined range.
435 SupplementalGroupsStrategyMayRunAs SupplementalGroupsStrategyType = "MayRunAs"
436 // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
437 SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs"
438 // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
439 SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny"
442 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
444 // PodSecurityPolicyList is a list of PodSecurityPolicy objects.
445 type PodSecurityPolicyList struct {
446 metav1.TypeMeta `json:",inline"`
447 // Standard list metadata.
448 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
450 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
452 // items is a list of schema objects.
453 Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`