github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-30 15:05:27 +00:00
Code Issues Projects Releases Wiki Activity

Enabled discrimination on target namespace

Browse Source 
Generalized ResourcePolicyRule in API Priority and Fairness to be able
to discriminate on the target namespace (if any) specified in the
request.
This commit is contained in:
Mike Spreitzer 2019-11-06 22:14:15 -05:00
parent 85bc79d81f
commit 3b77bc8054
11 changed files with 526 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
api/openapi-spec/swagger.json generated
View File

@ -14264,10 +14264,18 @@
"type": "object"
},
"io.k8s.api.flowcontrol.v1alpha1.ResourcePolicyRule": {
"description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member of resources matches the request.",
"description": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) least one member of namespaces matches the request.",
"properties": {
"apiGroups": {
"description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all api-groups. if it is present, it must be the only entry. Required.",
"description": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.",
"items": {
"type": "string"
},
"type": "array",
"x-kubernetes-list-type": "set"
},
"namespaces": {
"description": "`namespaces` is a list of target namespaces that restricts matches. A request that does not specify a target namespace (which happens both when the resource is not namespaced and when the resource is namespaced and the request is for all namespaces) matches only if this list includes \"Cluster Scope\" (this string is not a valid namespace and thus can not be confused with an actual namespace). A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\".\n\nThis list may not be omitted or empty. If the list contains \"*\" then the only other allowed member is \"Cluster Scope\". Without \"*\", it is allowed to list \"Cluster Scope\" along with particular namespaces.\n\nRequests will match only if the values in this list are appropriate for the resource(s) involved. For example: for a cluster scoped resource (i.e., one not namespaced) a request can match only if this list contains \"Cluster Scope\". It is entirely up to the client to populate this list with appropriate values; the server-performed validation does not (at least in this alpha) address this issue.",
"items": {
"type": "string"
},
@ -14275,7 +14283,7 @@
"x-kubernetes-list-type": "set"
},
"resources": {
"description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources. if it is present, it must be the only entry. Required.",
"description": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.",
"items": {
"type": "string"
},
@ -14283,7 +14291,7 @@
"x-kubernetes-list-type": "set"
},
"verbs": {
"description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. if it is present, it must be the only entry. Required.",
"description": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.",
"items": {
"type": "string"
},
@ -14294,7 +14302,8 @@
"required": [
"verbs",
"apiGroups",
"resources"
"resources",
"namespaces"
],
"type": "object"
},

57
pkg/apis/flowcontrol/types.go
View File

@ -26,8 +26,10 @@ const (
ResourceAll = "*"
VerbAll = "*"
NonResourceAll = "*"
NameAll = "*"
NameAll = "*"
NamespaceEvery = "*" // matches every particular namespace
NamespaceClusterScope = "Cluster Scope" // matches absence of namespace
)
// System preset priority level names
@ -210,28 +212,59 @@ type ServiceAccountSubject struct {
Name string
}
// ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target
// resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member
// of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member
// of resources matches the request.
// ResourcePolicyRule is a predicate that matches some resource
// requests, testing the request's verb and the target resource. A
// ResourcePolicyRule matches a resource request if and only if: (a)
// at least one member of verbs matches the request, (b) at least one
// member of apiGroups matches the request, (c) at least one member of
// resources matches the request, and (d) least one member of
// namespaces matches the request.
type ResourcePolicyRule struct {
// `verbs` is a list of matching verbs and may not be empty.
// "*" matches all verbs. if it is present, it must be the only entry.
// "*" matches all verbs and, if present, must be the only entry.
// +listType=set
// Required.
Verbs []string
// `apiGroups` is a list of matching API groups and may not be empty.
// "*" matches all api-groups. if it is present, it must be the only entry.
// "*" matches all API groups and, if present, must be the only entry.
// +listType=set
// Required.
APIGroups []string
// `resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.
// For example, [ "services", "nodes/status" ].
// This list may not be empty.
// "*" matches all resources. if it is present, it must be the only entry.
// +listType=set
// `resources` is a list of matching resources (i.e., lowercase
// and plural) with, if desired, subresource. For example, [
// "services", "nodes/status" ]. This list may not be empty.
// "*" matches all resources and, if present, must be the only entry.
// Required.
// +listType=set
Resources []string
// `namespaces` is a list of target namespaces that restricts
// matches. A request that does not specify a target namespace
// (which happens both when the resource is not namespaced and
// when the resource is namespaced and the request is for all
// namespaces) matches only if this list includes "Cluster Scope"
// (this string is not a valid namespace and thus can not be
// confused with an actual namespace). A request that specifies a
// target namespace matches only if either (a) this list contains
// that target namespace or (b) this list contains "*".
//
// This list may not be omitted or empty. If the list contains
// "*" then the only other allowed member is "Cluster Scope".
// Without "*", it is allowed to list "Cluster Scope" along with
// particular namespaces.
//
// Requests will match only if the values in this list are
// appropriate for the resource(s) involved. For example: for a
// cluster scoped resource (i.e., one not namespaced) a request
// can match only if this list contains "Cluster Scope". It is
// entirely up to the client to populate this list with
// appropriate values; the server-performed validation does not
// (at least in this alpha) address this issue.
//
// +listType=set
Namespaces []string
}
// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the

2
pkg/apis/flowcontrol/v1alpha1/zz_generated.conversion.go generated
View File

@ -697,6 +697,7 @@ func autoConvert_v1alpha1_ResourcePolicyRule_To_flowcontrol_ResourcePolicyRule(i
out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs))
out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups))
out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
return nil
}
@ -709,6 +710,7 @@ func autoConvert_flowcontrol_ResourcePolicyRule_To_v1alpha1_ResourcePolicyRule(i
out.Verbs = *(*[]string)(unsafe.Pointer(&in.Verbs))
out.APIGroups = *(*[]string)(unsafe.Pointer(&in.APIGroups))
out.Resources = *(*[]string)(unsafe.Pointer(&in.Resources))
out.Namespaces = *(*[]string)(unsafe.Pointer(&in.Namespaces))
return nil
}

30
pkg/apis/flowcontrol/validation/validation.go
View File

@ -245,9 +245,31 @@ func ValidateFlowSchemaResourcePolicyRule(rule *flowcontrol.ResourcePolicyRule,
allErrs = append(allErrs, field.Invalid(fldPath.Child("resources"), rule.Resources, "if '*' is present, must not specify other resources"))
}
if len(rule.Namespaces) == 0 {
allErrs = append(allErrs, field.Required(fldPath.Child("namespaces"), "resource rules must supply at least one namespace"))
} else if memberInList(flowcontrol.NamespaceEvery, rule.Namespaces...) {
for _, tgtNS := range rule.Namespaces {
if tgtNS != flowcontrol.NamespaceEvery && tgtNS != flowcontrol.NamespaceClusterScope {
allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces"), rule.Namespaces, "'*' may be accompanied only by 'Cluster Scope'"))
break
}
}
} else {
for idx, tgtNS := range rule.Namespaces {
if tgtNS == flowcontrol.NamespaceClusterScope {
continue
}
for _, msg := range apimachineryvalidation.ValidateNamespaceName(tgtNS, false) {
allErrs = append(allErrs, field.Invalid(fldPath.Child("namespaces").Index(idx), tgtNS, nsErrIntro+msg))
}
}
}
return allErrs
}
const nsErrIntro = "each member of this list must be '*', 'Cluster Scope', or a DNS-1123 label; "
// ValidateFlowSchemaStatus validates status for the flow-schema.
func ValidateFlowSchemaStatus(status *flowcontrol.FlowSchemaStatus, fldPath *field.Path) field.ErrorList {
var allErrs field.ErrorList
@ -424,8 +446,12 @@ func ValidateNonResourceURLPath(path string, fldPath *field.Path) *field.Error {
}
func hasWildcard(operations []string) bool {
for _, o := range operations {
if o == "*" {
return memberInList("*", operations...)
}
func memberInList(seek string, a ...string) bool {
for _, ai := range a {
if ai == seek {
return true
}
}

222
pkg/apis/flowcontrol/validation/validation_test.go
View File

@ -34,7 +34,7 @@ func TestFlowSchemaValidation(t *testing.T) {
expectedErrors field.ErrorList
}{
{
name: "missing neither resource and non-resource policy-rule should fail",
name: "missing both resource and non-resource policy-rule should fail",
flowSchema: &flowcontrol.FlowSchema{
ObjectMeta: metav1.ObjectMeta{
Name: "system-foo",
@ -81,9 +81,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
},
@ -113,9 +114,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll, "create"},
APIGroups: []string{flowcontrol.APIGroupAll, "tak"},
Resources: []string{flowcontrol.ResourceAll, "tok"},
Verbs: []string{flowcontrol.VerbAll, "create"},
APIGroups: []string{flowcontrol.APIGroupAll, "tak"},
Resources: []string{flowcontrol.ResourceAll, "tok"},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
},
@ -149,9 +151,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
NonResourceRules: []flowcontrol.NonResourcePolicyRule{
@ -252,9 +255,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{"feed"},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Verbs: []string{"feed"},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
},
@ -286,9 +290,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
},
@ -322,9 +327,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
},
@ -355,9 +361,10 @@ func TestFlowSchemaValidation(t *testing.T) {
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceEvery},
},
},
},
@ -368,6 +375,177 @@ func TestFlowSchemaValidation(t *testing.T) {
field.NotSupported(field.NewPath("spec").Child("rules").Index(0).Child("subjects").Index(0).Child("kind"), flowcontrol.SubjectKind(""), supportedSubjectKinds.List()),
},
},
{
name: "Omitted ResourceRule.Namespaces should fail",
flowSchema: &flowcontrol.FlowSchema{
ObjectMeta: metav1.ObjectMeta{
Name: "system-foo",
},
Spec: flowcontrol.FlowSchemaSpec{
MatchingPrecedence: 50,
PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
Name: "system-bar",
},
Rules: []flowcontrol.PolicyRulesWithSubjects{
{
Subjects: []flowcontrol.Subject{
{
Kind: flowcontrol.SubjectKindUser,
User: &flowcontrol.UserSubject{Name: "noxu"},
},
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: nil,
},
},
},
},
},
},
expectedErrors: field.ErrorList{
field.Required(field.NewPath("spec").Child("rules").Index(0).Child("resourceRules").Index(0).Child("namespaces"), "resource rules must supply at least one namespace"),
},
},
{
name: "NamespaceClusterScope is allowed",
flowSchema: &flowcontrol.FlowSchema{
ObjectMeta: metav1.ObjectMeta{
Name: "system-foo",
},
Spec: flowcontrol.FlowSchemaSpec{
MatchingPrecedence: 50,
PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
Name: "system-bar",
},
Rules: []flowcontrol.PolicyRulesWithSubjects{
{
Subjects: []flowcontrol.Subject{
{
Kind: flowcontrol.SubjectKindUser,
User: &flowcontrol.UserSubject{Name: "noxu"},
},
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceClusterScope},
},
},
},
},
},
},
expectedErrors: field.ErrorList{},
},
{
name: "NamespaceClusterScope is allowed with NamespaceEvery",
flowSchema: &flowcontrol.FlowSchema{
ObjectMeta: metav1.ObjectMeta{
Name: "system-foo",
},
Spec: flowcontrol.FlowSchemaSpec{
MatchingPrecedence: 50,
PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
Name: "system-bar",
},
Rules: []flowcontrol.PolicyRulesWithSubjects{
{
Subjects: []flowcontrol.Subject{
{
Kind: flowcontrol.SubjectKindUser,
User: &flowcontrol.UserSubject{Name: "noxu"},
},
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{flowcontrol.NamespaceClusterScope, flowcontrol.NamespaceEvery},
},
},
},
},
},
},
expectedErrors: field.ErrorList{},
},
{
name: "NamespaceEvery may not be combined with particulars",
flowSchema: &flowcontrol.FlowSchema{
ObjectMeta: metav1.ObjectMeta{
Name: "system-foo",
},
Spec: flowcontrol.FlowSchemaSpec{
MatchingPrecedence: 50,
PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
Name: "system-bar",
},
Rules: []flowcontrol.PolicyRulesWithSubjects{
{
Subjects: []flowcontrol.Subject{
{
Kind: flowcontrol.SubjectKindUser,
User: &flowcontrol.UserSubject{Name: "noxu"},
},
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{"foo", flowcontrol.NamespaceEvery},
},
},
},
},
},
},
expectedErrors: field.ErrorList{
field.Invalid(field.NewPath("spec").Child("rules").Index(0).Child("resourceRules").Index(0).Child("namespaces"), []string{"foo", flowcontrol.NamespaceEvery}, "'*' may be accompanied only by 'Cluster Scope'"),
},
},
{
name: "ResourceRule.Namespaces must be well formed",
flowSchema: &flowcontrol.FlowSchema{
ObjectMeta: metav1.ObjectMeta{
Name: "system-foo",
},
Spec: flowcontrol.FlowSchemaSpec{
MatchingPrecedence: 50,
PriorityLevelConfiguration: flowcontrol.PriorityLevelConfigurationReference{
Name: "system-bar",
},
Rules: []flowcontrol.PolicyRulesWithSubjects{
{
Subjects: []flowcontrol.Subject{
{
Kind: flowcontrol.SubjectKindUser,
User: &flowcontrol.UserSubject{Name: "noxu"},
},
},
ResourceRules: []flowcontrol.ResourcePolicyRule{
{
Verbs: []string{flowcontrol.VerbAll},
APIGroups: []string{flowcontrol.APIGroupAll},
Resources: []string{flowcontrol.ResourceAll},
Namespaces: []string{"-foo"},
},
},
},
},
},
},
expectedErrors: field.ErrorList{
field.Invalid(field.NewPath("spec").Child("rules").Index(0).Child("resourceRules").Index(0).Child("namespaces").Index(0), "-foo", nsErrIntro+`a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name', or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')`),
},
},
}
for _, testCase := range testCases {
t.Run(testCase.name, func(t *testing.T) {

5
pkg/apis/flowcontrol/zz_generated.deepcopy.go generated
View File

@ -459,6 +459,11 @@ func (in *ResourcePolicyRule) DeepCopyInto(out *ResourcePolicyRule) {
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Namespaces != nil {
in, out := &in.Namespaces, &out.Namespaces
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}

230
staging/src/k8s.io/api/flowcontrol/v1alpha1/generated.pb.go generated
View File

@ -689,99 +689,95 @@ func init() {
}
var fileDescriptor_45ba024d525b289b = []byte{
// 1459 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x57, 0x4d, 0x6f, 0x13, 0xc7,
0x1b, 0xcf, 0x3a, 0x76, 0x12, 0x4f, 0xc8, 0x0b, 0x93, 0x3f, 0x8a, 0x15, 0x24, 0x3b, 0xec, 0x5f,
0x2a, 0xb4, 0xc0, 0x2e, 0xa1, 0x40, 0xa9, 0x50, 0x85, 0xb2, 0xd0, 0xf2, 0x96, 0xa4, 0xc9, 0x04,
0xa8, 0x8a, 0xa8, 0xc4, 0x64, 0x3d, 0xb1, 0x87, 0xd8, 0xbb, 0xdb, 0x99, 0x5d, 0xd3, 0x54, 0x1c,
0x2a, 0xf5, 0x03, 0xb4, 0x1f, 0x80, 0x63, 0x0f, 0x3d, 0xf7, 0x13, 0xf4, 0x18, 0x55, 0x3d, 0x70,
0xe4, 0x64, 0x11, 0xf7, 0x5a, 0xf5, 0x5c, 0x71, 0xaa, 0x66, 0x76, 0x76, 0xd7, 0xeb, 0x77, 0x1a,
0x89, 0x53, 0x6f, 0xde, 0xe7, 0xe5, 0xf7, 0xbc, 0xcc, 0x33, 0xcf, 0xfc, 0x0c, 0x6e, 0xef, 0x5d,
0xe5, 0x06, 0x75, 0xcd, 0xbd, 0x60, 0x87, 0x30, 0x87, 0xf8, 0x84, 0x9b, 0x0d, 0xe2, 0x94, 0x5d,
0x66, 0x2a, 0x05, 0xf6, 0xa8, 0xb9, 0x5b, 0x73, 0x9f, 0xd9, 0xae, 0xe3, 0x33, 0xb7, 0x66, 0x36,
0x56, 0x70, 0xcd, 0xab, 0xe2, 0x15, 0xb3, 0x42, 0x1c, 0xc2, 0xb0, 0x4f, 0xca, 0x86, 0xc7, 0x5c,
0xdf, 0x85, 0xa5, 0xd0, 0xc1, 0xc0, 0x1e, 0x35, 0xda, 0x1c, 0x8c, 0xc8, 0x61, 0xe9, 0x7c, 0x85,
0xfa, 0xd5, 0x60, 0xc7, 0xb0, 0xdd, 0xba, 0x59, 0x71, 0x2b, 0xae, 0x29, 0xfd, 0x76, 0x82, 0x5d,
0xf9, 0x25, 0x3f, 0xe4, 0xaf, 0x10, 0x6f, 0xe9, 0x52, 0x92, 0x40, 0x1d, 0xdb, 0x55, 0xea, 0x10,
0xb6, 0x6f, 0x7a, 0x7b, 0x15, 0x21, 0xe0, 0x66, 0x9d, 0xf8, 0xd8, 0x6c, 0x74, 0x65, 0xb1, 0x64,
0xf6, 0xf3, 0x62, 0x81, 0xe3, 0xd3, 0x3a, 0xe9, 0x72, 0xb8, 0x32, 0xcc, 0x81, 0xdb, 0x55, 0x52,
0xc7, 0x9d, 0x7e, 0xfa, 0x23, 0xb0, 0xf8, 0x59, 0xcd, 0x7d, 0x76, 0x93, 0x72, 0x9f, 0x3a, 0x95,
0x80, 0xf2, 0x2a, 0x61, 0xeb, 0xc4, 0xaf, 0xba, 0x65, 0x78, 0x1d, 0x64, 0xfd, 0x7d, 0x8f, 0x14,
0xb4, 0x65, 0xed, 0x4c, 0xde, 0x3a, 0x7b, 0xd0, 0x2c, 0x8d, 0xb5, 0x9a, 0xa5, 0xec, 0xfd, 0x7d,
0x8f, 0xbc, 0x69, 0x96, 0x4e, 0xf6, 0x71, 0x13, 0x6a, 0x24, 0x1d, 0xf5, 0x17, 0x19, 0x00, 0x84,
0xd5, 0xb6, 0x0c, 0x0d, 0x9f, 0x80, 0x29, 0x51, 0x6e, 0x19, 0xfb, 0x58, 0x62, 0x4e, 0x5f, 0xbc,
0x60, 0x24, 0xcd, 0x8e, 0xb3, 0x36, 0xbc, 0xbd, 0x8a, 0x10, 0x70, 0x43, 0x58, 0x1b, 0x8d, 0x15,
0xe3, 0xf3, 0x9d, 0xa7, 0xc4, 0xf6, 0xd7, 0x89, 0x8f, 0x2d, 0xa8, 0xb2, 0x00, 0x89, 0x0c, 0xc5,
0xa8, 0x70, 0x0b, 0x64, 0xb9, 0x47, 0xec, 0x42, 0x46, 0xa2, 0x9b, 0xc6, 0x90, 0xa3, 0x34, 0x92,
0xe4, 0xb6, 0x3d, 0x62, 0x5b, 0xc7, 0xa2, 0x12, 0xc5, 0x17, 0x92, 0x50, 0xf0, 0x4b, 0x30, 0xc1,
0x7d, 0xec, 0x07, 0xbc, 0x30, 0x2e, 0x41, 0x57, 0xde, 0x06, 0x54, 0x3a, 0x5a, 0xb3, 0x0a, 0x76,
0x22, 0xfc, 0x46, 0x0a, 0x50, 0x7f, 0x95, 0x01, 0x0b, 0x89, 0xf1, 0x0d, 0xd7, 0x29, 0x53, 0x9f,
0xba, 0x0e, 0xbc, 0x96, 0xea, 0xfb, 0xe9, 0x8e, 0xbe, 0x2f, 0xf6, 0x70, 0x49, 0x7a, 0x0e, 0x3f,
0x8e, 0xf3, 0xcd, 0x48, 0xf7, 0x53, 0xe9, 0xe0, 0x6f, 0x9a, 0xa5, 0xb9, 0xd8, 0x2d, 0x9d, 0x0f,
0x6c, 0x00, 0x58, 0xc3, 0xdc, 0xbf, 0xcf, 0xb0, 0xc3, 0x43, 0x58, 0x5a, 0x27, 0xaa, 0xec, 0x0f,
0x46, 0x3b, 0x29, 0xe1, 0x61, 0x2d, 0xa9, 0x90, 0x70, 0xad, 0x0b, 0x0d, 0xf5, 0x88, 0x00, 0xdf,
0x03, 0x13, 0x8c, 0x60, 0xee, 0x3a, 0x85, 0xac, 0x4c, 0x39, 0xee, 0x17, 0x92, 0x52, 0xa4, 0xb4,
0xf0, 0x7d, 0x30, 0x59, 0x27, 0x9c, 0xe3, 0x0a, 0x29, 0xe4, 0xa4, 0xe1, 0x9c, 0x32, 0x9c, 0x5c,
0x0f, 0xc5, 0x28, 0xd2, 0xeb, 0xbf, 0x6a, 0x60, 0x36, 0xe9, 0xd3, 0x1a, 0xe5, 0x3e, 0x7c, 0xdc,
0x35, 0x7d, 0xc6, 0x68, 0x35, 0x09, 0x6f, 0x39, 0x7b, 0xf3, 0x2a, 0xdc, 0x54, 0x24, 0x69, 0x9b,
0xbc, 0x4d, 0x90, 0xa3, 0x3e, 0xa9, 0x8b, 0xae, 0x8f, 0x9f, 0x99, 0xbe, 0x78, 0xf6, 0x2d, 0xa6,
0xc4, 0x9a, 0x51, 0xb8, 0xb9, 0x3b, 0x02, 0x01, 0x85, 0x40, 0xfa, 0x9f, 0xe3, 0xed, 0x25, 0x88,
0x89, 0x84, 0x3f, 0x6b, 0x60, 0xc9, 0x63, 0xd4, 0x65, 0xd4, 0xdf, 0x5f, 0x23, 0x0d, 0x52, 0xbb,
0xe1, 0x3a, 0xbb, 0xb4, 0x12, 0x30, 0x2c, 0x7a, 0xa9, 0xaa, 0xba, 0x39, 0x34, 0xf4, 0x66, 0x5f,
0x08, 0x44, 0x76, 0x09, 0x23, 0x8e, 0x4d, 0x2c, 0x5d, 0xe5, 0xb4, 0x34, 0xc0, 0x78, 0x40, 0x2e,
0xf0, 0x2e, 0x80, 0x75, 0xec, 0x8b, 0x9e, 0x56, 0x36, 0x19, 0xb1, 0x49, 0x59, 0xa0, 0xca, 0x91,
0xcc, 0x25, 0xf3, 0xb1, 0xde, 0x65, 0x81, 0x7a, 0x78, 0xc1, 0xef, 0x35, 0xb0, 0x50, 0xee, 0x5e,
0x34, 0x6a, 0x32, 0xaf, 0x8e, 0xd4, 0xea, 0x1e, 0x8b, 0xca, 0x5a, 0x6c, 0x35, 0x4b, 0x0b, 0x3d,
0x14, 0xa8, 0x57, 0x34, 0xf8, 0x15, 0xc8, 0xb1, 0xa0, 0x46, 0x78, 0x21, 0x2b, 0x4f, 0x78, 0x78,
0xd8, 0x4d, 0xb7, 0x46, 0xed, 0x7d, 0x24, 0x7c, 0xbe, 0xa0, 0x7e, 0x75, 0x3b, 0x90, 0x1b, 0x8b,
0x27, 0xc7, 0x2d, 0x55, 0x28, 0x44, 0xd5, 0x9f, 0x83, 0xf9, 0xce, 0xc5, 0x01, 0xab, 0x00, 0xd8,
0xd1, 0x5d, 0xe5, 0x05, 0x4d, 0xc6, 0xbd, 0xf4, 0x16, 0x93, 0x15, 0x5f, 0xf4, 0x64, 0x6d, 0xc6,
0x22, 0x8e, 0xda, 0xb0, 0xf5, 0x0b, 0xe0, 0xd8, 0x2d, 0xe6, 0x06, 0x9e, 0x4a, 0x12, 0x2e, 0x83,
0xac, 0x83, 0xeb, 0xd1, 0x0a, 0x8a, 0xf7, 0xe2, 0x06, 0xae, 0x13, 0x24, 0x35, 0xfa, 0x4f, 0x1a,
0x98, 0x59, 0xa3, 0x75, 0xea, 0x23, 0xc2, 0x3d, 0xd7, 0xe1, 0x04, 0x5e, 0x4e, 0xad, 0xad, 0x53,
0x1d, 0x6b, 0xeb, 0x78, 0xca, 0xb8, 0x6d, 0x61, 0x3d, 0x06, 0x93, 0x5f, 0x07, 0x24, 0xa0, 0x4e,
0x45, 0xad, 0xed, 0xcb, 0x43, 0x2b, 0xdc, 0x0a, 0xed, 0x53, 0x13, 0x67, 0x4d, 0x8b, 0x45, 0xa0,
0x34, 0x28, 0x82, 0xd4, 0xff, 0xd2, 0xc0, 0x29, 0x19, 0x99, 0x94, 0xfb, 0x4f, 0x32, 0x7c, 0x0c,
0x0a, 0x98, 0xf3, 0x80, 0x91, 0xf2, 0x0d, 0xd7, 0xb1, 0x03, 0x26, 0xee, 0xc0, 0xfe, 0x76, 0x15,
0x33, 0xc2, 0x65, 0x39, 0x39, 0x6b, 0x59, 0x95, 0x53, 0x58, 0xed, 0x63, 0x87, 0xfa, 0x22, 0xc0,
0x3d, 0x30, 0x53, 0x6b, 0x2f, 0x5e, 0xd5, 0x69, 0x0c, 0xad, 0x33, 0xd5, 0x32, 0xeb, 0x84, 0x4a,
0x21, 0xdd, 0x76, 0x94, 0xc6, 0xd6, 0x9f, 0x81, 0x13, 0x1b, 0xe2, 0x22, 0x73, 0x37, 0x60, 0x36,
0x49, 0x66, 0x10, 0x96, 0x40, 0xae, 0x41, 0xd8, 0x4e, 0x38, 0x47, 0x79, 0x2b, 0x2f, 0x26, 0xf0,
0xa1, 0x10, 0xa0, 0x50, 0x0e, 0x3f, 0x01, 0x73, 0x4e, 0xe2, 0xf9, 0x00, 0xad, 0xf1, 0xc2, 0x84,
0x34, 0x5d, 0x68, 0x35, 0x4b, 0x73, 0x1b, 0x69, 0x15, 0xea, 0xb4, 0xd5, 0x0f, 0x33, 0x60, 0xb1,
0xcf, 0xc8, 0xc3, 0x87, 0x60, 0x8a, 0xab, 0xdf, 0x6a, 0x8c, 0xcf, 0x0c, 0x2d, 0x5e, 0x39, 0x27,
0x5b, 0x37, 0x42, 0x43, 0x31, 0x16, 0xf4, 0xc0, 0x0c, 0x53, 0x39, 0xc8, 0xa0, 0x6a, 0xfb, 0x7e,
0x38, 0x14, 0xbc, 0xbb, 0x3f, 0x49, 0x7b, 0x51, 0x3b, 0x22, 0x4a, 0x07, 0x80, 0xcf, 0xc1, 0x7c,
0x5b, 0xe1, 0x61, 0xd0, 0x71, 0x19, 0xf4, 0xca, 0xd0, 0xa0, 0x3d, 0xcf, 0xc5, 0x2a, 0xa8, 0xb8,
0xf3, 0x1b, 0x1d, 0xb8, 0xa8, 0x2b, 0x92, 0xfe, 0x7b, 0x06, 0x0c, 0x58, 0xc8, 0xef, 0x80, 0x60,
0xe1, 0x14, 0xc1, 0xba, 0x7e, 0x84, 0xa7, 0xa6, 0x2f, 0xe1, 0xa2, 0x1d, 0x84, 0x6b, 0xf5, 0x28,
0x41, 0x06, 0x13, 0xb0, 0xbf, 0x33, 0xe0, 0xff, 0xfd, 0x9d, 0x13, 0x42, 0x76, 0x2f, 0xb5, 0xd9,
0x3e, 0xea, 0xd8, 0x6c, 0xa7, 0x47, 0x80, 0xf8, 0x8f, 0xa0, 0x75, 0x10, 0xb4, 0xd7, 0x1a, 0x28,
0xf6, 0xef, 0xdb, 0x3b, 0x20, 0x6c, 0x4f, 0xd2, 0x84, 0xed, 0xda, 0x11, 0xa6, 0xac, 0x0f, 0x81,
0xbb, 0x35, 0x68, 0xb8, 0x62, 0xa6, 0x35, 0xc2, 0x53, 0x7b, 0x30, 0xb0, 0x57, 0x92, 0x19, 0x0e,
0xf9, 0xcb, 0x90, 0xf2, 0xfe, 0xd4, 0xc1, 0x3b, 0x35, 0x52, 0x27, 0x8e, 0xaf, 0x26, 0x92, 0x82,
0xc9, 0x5a, 0xf8, 0x44, 0xaa, 0x7b, 0x6d, 0x8d, 0xf6, 0x32, 0x0d, 0x7a, 0x52, 0xc3, 0xe7, 0x58,
0x99, 0xa1, 0x08, 0x5f, 0x7f, 0xa1, 0x81, 0xe5, 0x61, 0xd7, 0x15, 0x7e, 0xd3, 0x83, 0xf6, 0x1c,
0x85, 0xd5, 0x8e, 0x4e, 0x83, 0x7e, 0xd1, 0xc0, 0xff, 0x7a, 0x91, 0x0b, 0x71, 0x03, 0x04, 0xa3,
0x88, 0xe9, 0x40, 0x7c, 0x03, 0xb6, 0xa4, 0x14, 0x29, 0x2d, 0x3c, 0x07, 0xa6, 0xaa, 0xd8, 0x29,
0x6f, 0xd3, 0x6f, 0x23, 0xb2, 0x1b, 0xcf, 0xe0, 0x6d, 0x25, 0x47, 0xb1, 0x05, 0xbc, 0x09, 0xe6,
0xa5, 0xdf, 0x1a, 0x71, 0x2a, 0x7e, 0x55, 0x36, 0x4b, 0xde, 0xe6, 0x5c, 0xf2, 0x28, 0x6c, 0x75,
0xe8, 0x51, 0x97, 0x87, 0xfe, 0x83, 0x06, 0xe0, 0xbf, 0x79, 0xef, 0xcf, 0x82, 0x3c, 0xf6, 0xa8,
0xa4, 0x7d, 0xe1, 0x2d, 0xc8, 0x5b, 0x33, 0xad, 0x66, 0x29, 0xbf, 0xba, 0x79, 0x27, 0x14, 0xa2,
0x44, 0x2f, 0x8c, 0xa3, 0x87, 0x30, 0x7c, 0xf0, 0x94, 0x71, 0x14, 0x98, 0xa3, 0x44, 0xaf, 0x3f,
0x05, 0x27, 0xb6, 0x09, 0x6b, 0x50, 0x9b, 0xac, 0xda, 0xb6, 0x1b, 0x38, 0x7e, 0x44, 0x2b, 0x4d,
0x90, 0x17, 0x13, 0xcd, 0x3d, 0x6c, 0x47, 0xb3, 0x7a, 0x5c, 0x55, 0x9a, 0xdf, 0x88, 0x14, 0x28,
0xb1, 0x89, 0x2f, 0x47, 0xa6, 0xef, 0xe5, 0xf8, 0x2d, 0x03, 0x26, 0x13, 0xf8, 0xec, 0x1e, 0x75,
0xca, 0x0a, 0xf9, 0x64, 0x64, 0x7d, 0x8f, 0x3a, 0xe5, 0x37, 0xcd, 0xd2, 0xb4, 0x32, 0x13, 0x9f,
0x48, 0x1a, 0xc2, 0xbb, 0x20, 0x1b, 0x70, 0xc2, 0xd4, 0xd8, 0x9f, 0x1b, 0x3a, 0x63, 0x0f, 0x38,
0x61, 0x11, 0x2f, 0x99, 0x12, 0xd0, 0x42, 0x80, 0x24, 0x06, 0xdc, 0x00, 0xb9, 0x8a, 0xe8, 0x95,
0xda, 0xc7, 0xe7, 0x87, 0x82, 0xb5, 0x13, 0xee, 0xf0, 0x78, 0xa4, 0x04, 0x85, 0x30, 0x90, 0x81,
0x59, 0x9e, 0x6a, 0xa2, 0x5c, 0xbe, 0xa3, 0xf0, 0x8c, 0x9e, 0xbd, 0xb7, 0x60, 0xab, 0x59, 0x9a,
0x4d, 0xab, 0x50, 0x47, 0x04, 0xdd, 0x04, 0xd3, 0x6d, 0x25, 0x0e, 0x5f, 0x4d, 0x96, 0x71, 0x70,
0x58, 0x1c, 0x7b, 0x79, 0x58, 0x1c, 0x7b, 0x75, 0x58, 0x1c, 0xfb, 0xae, 0x55, 0xd4, 0x0e, 0x5a,
0x45, 0xed, 0x65, 0xab, 0xa8, 0xbd, 0x6a, 0x15, 0xb5, 0xd7, 0xad, 0xa2, 0xf6, 0xe3, 0x1f, 0xc5,
0xb1, 0x47, 0x53, 0x51, 0x6a, 0xff, 0x04, 0x00, 0x00, 0xff, 0xff, 0xcb, 0xe4, 0x65, 0x97, 0xa7,
0x13, 0x00, 0x00,
// 1400 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xec, 0x56, 0xdd, 0x6e, 0xd4, 0xc6,
0x17, 0x8f, 0x37, 0xbb, 0x49, 0x76, 0x42, 0x3e, 0xfe, 0x93, 0x3f, 0xca, 0x36, 0x48, 0xbb, 0xa9,
0x2b, 0x15, 0x28, 0x60, 0x13, 0x4a, 0x29, 0x15, 0x42, 0x28, 0x06, 0x95, 0xaf, 0x24, 0x4d, 0x26,
0x40, 0x55, 0x44, 0x25, 0x26, 0xde, 0x89, 0x77, 0xc8, 0xae, 0xed, 0xce, 0xd8, 0x4b, 0x53, 0x71,
0x51, 0xa9, 0x2f, 0xc0, 0x03, 0xf0, 0x00, 0x7d, 0x89, 0xaa, 0xbd, 0x44, 0x55, 0x2f, 0xb8, 0xe4,
0x6a, 0x45, 0xb6, 0xb7, 0x7d, 0x80, 0x8a, 0xab, 0x6a, 0xc6, 0x63, 0x7b, 0xbd, 0x1f, 0xd9, 0xa5,
0x91, 0xb8, 0xea, 0x9d, 0x7d, 0x3e, 0x7e, 0xe7, 0xcc, 0x6f, 0xce, 0x99, 0x73, 0xc0, 0xad, 0xbd,
0xcb, 0xdc, 0xa0, 0x9e, 0xb9, 0x17, 0xee, 0x10, 0xe6, 0x92, 0x80, 0x70, 0xb3, 0x49, 0xdc, 0xaa,
0xc7, 0x4c, 0xa5, 0xc0, 0x3e, 0x35, 0x77, 0xeb, 0xde, 0x53, 0xdb, 0x73, 0x03, 0xe6, 0xd5, 0xcd,
0xe6, 0x0a, 0xae, 0xfb, 0x35, 0xbc, 0x62, 0x3a, 0xc4, 0x25, 0x0c, 0x07, 0xa4, 0x6a, 0xf8, 0xcc,
0x0b, 0x3c, 0x58, 0x89, 0x1c, 0x0c, 0xec, 0x53, 0xa3, 0xc3, 0xc1, 0x88, 0x1d, 0x96, 0xce, 0x39,
0x34, 0xa8, 0x85, 0x3b, 0x86, 0xed, 0x35, 0x4c, 0xc7, 0x73, 0x3c, 0x53, 0xfa, 0xed, 0x84, 0xbb,
0xf2, 0x4f, 0xfe, 0xc8, 0xaf, 0x08, 0x6f, 0xe9, 0x62, 0x9a, 0x40, 0x03, 0xdb, 0x35, 0xea, 0x12,
0xb6, 0x6f, 0xfa, 0x7b, 0x8e, 0x10, 0x70, 0xb3, 0x41, 0x02, 0x6c, 0x36, 0x7b, 0xb2, 0x58, 0x32,
0x07, 0x79, 0xb1, 0xd0, 0x0d, 0x68, 0x83, 0xf4, 0x38, 0x5c, 0x1a, 0xe6, 0xc0, 0xed, 0x1a, 0x69,
0xe0, 0x6e, 0x3f, 0xfd, 0x21, 0x58, 0xfc, 0xb2, 0xee, 0x3d, 0xbd, 0x41, 0x79, 0x40, 0x5d, 0x27,
0xa4, 0xbc, 0x46, 0xd8, 0x3a, 0x09, 0x6a, 0x5e, 0x15, 0x5e, 0x03, 0xf9, 0x60, 0xdf, 0x27, 0x25,
0x6d, 0x59, 0x3b, 0x55, 0xb4, 0xce, 0xbc, 0x6c, 0x55, 0xc6, 0xda, 0xad, 0x4a, 0xfe, 0xde, 0xbe,
0x4f, 0xde, 0xb6, 0x2a, 0x27, 0x06, 0xb8, 0x09, 0x35, 0x92, 0x8e, 0xfa, 0x8b, 0x1c, 0x00, 0xc2,
0x6a, 0x5b, 0x86, 0x86, 0x8f, 0xc1, 0x94, 0x38, 0x6e, 0x15, 0x07, 0x58, 0x62, 0x4e, 0x5f, 0x38,
0x6f, 0xa4, 0x64, 0x27, 0x59, 0x1b, 0xfe, 0x9e, 0x23, 0x04, 0xdc, 0x10, 0xd6, 0x46, 0x73, 0xc5,
0xf8, 0x6a, 0xe7, 0x09, 0xb1, 0x83, 0x75, 0x12, 0x60, 0x0b, 0xaa, 0x2c, 0x40, 0x2a, 0x43, 0x09,
0x2a, 0xdc, 0x02, 0x79, 0xee, 0x13, 0xbb, 0x94, 0x93, 0xe8, 0xa6, 0x31, 0xe4, 0x2a, 0x8d, 0x34,
0xb9, 0x6d, 0x9f, 0xd8, 0xd6, 0xb1, 0xf8, 0x88, 0xe2, 0x0f, 0x49, 0x28, 0xf8, 0x0d, 0x98, 0xe0,
0x01, 0x0e, 0x42, 0x5e, 0x1a, 0x97, 0xa0, 0x2b, 0xef, 0x02, 0x2a, 0x1d, 0xad, 0x59, 0x05, 0x3b,
0x11, 0xfd, 0x23, 0x05, 0xa8, 0xbf, 0xce, 0x81, 0x85, 0xd4, 0xf8, 0xba, 0xe7, 0x56, 0x69, 0x40,
0x3d, 0x17, 0x5e, 0xc9, 0xf0, 0x7e, 0xb2, 0x8b, 0xf7, 0xc5, 0x3e, 0x2e, 0x29, 0xe7, 0xf0, 0x8b,
0x24, 0xdf, 0x9c, 0x74, 0xff, 0x30, 0x1b, 0xfc, 0x6d, 0xab, 0x32, 0x97, 0xb8, 0x65, 0xf3, 0x81,
0x4d, 0x00, 0xeb, 0x98, 0x07, 0xf7, 0x18, 0x76, 0x79, 0x04, 0x4b, 0x1b, 0x44, 0x1d, 0xfb, 0x93,
0xd1, 0x6e, 0x4a, 0x78, 0x58, 0x4b, 0x2a, 0x24, 0x5c, 0xeb, 0x41, 0x43, 0x7d, 0x22, 0xc0, 0x8f,
0xc1, 0x04, 0x23, 0x98, 0x7b, 0x6e, 0x29, 0x2f, 0x53, 0x4e, 0xf8, 0x42, 0x52, 0x8a, 0x94, 0x16,
0x9e, 0x06, 0x93, 0x0d, 0xc2, 0x39, 0x76, 0x48, 0xa9, 0x20, 0x0d, 0xe7, 0x94, 0xe1, 0xe4, 0x7a,
0x24, 0x46, 0xb1, 0x5e, 0xff, 0x4d, 0x03, 0xb3, 0x29, 0x4f, 0x6b, 0x94, 0x07, 0xf0, 0x51, 0x4f,
0xf5, 0x19, 0xa3, 0x9d, 0x49, 0x78, 0xcb, 0xda, 0x9b, 0x57, 0xe1, 0xa6, 0x62, 0x49, 0x47, 0xe5,
0x6d, 0x82, 0x02, 0x0d, 0x48, 0x43, 0xb0, 0x3e, 0x7e, 0x6a, 0xfa, 0xc2, 0x99, 0x77, 0xa8, 0x12,
0x6b, 0x46, 0xe1, 0x16, 0x6e, 0x0b, 0x04, 0x14, 0x01, 0xe9, 0x7f, 0x8d, 0x77, 0x1e, 0x41, 0x54,
0x24, 0xfc, 0x59, 0x03, 0x4b, 0x3e, 0xa3, 0x1e, 0xa3, 0xc1, 0xfe, 0x1a, 0x69, 0x92, 0xfa, 0x75,
0xcf, 0xdd, 0xa5, 0x4e, 0xc8, 0xb0, 0xe0, 0x52, 0x9d, 0xea, 0xc6, 0xd0, 0xd0, 0x9b, 0x03, 0x21,
0x10, 0xd9, 0x25, 0x8c, 0xb8, 0x36, 0xb1, 0x74, 0x95, 0xd3, 0xd2, 0x21, 0xc6, 0x87, 0xe4, 0x02,
0xef, 0x00, 0xd8, 0xc0, 0x81, 0xe0, 0xd4, 0xd9, 0x64, 0xc4, 0x26, 0x55, 0x81, 0x2a, 0x4b, 0xb2,
0x90, 0xd6, 0xc7, 0x7a, 0x8f, 0x05, 0xea, 0xe3, 0x05, 0x7f, 0xd2, 0xc0, 0x42, 0xb5, 0xf7, 0xa1,
0x51, 0x95, 0x79, 0x79, 0x24, 0xaa, 0xfb, 0x3c, 0x54, 0xd6, 0x62, 0xbb, 0x55, 0x59, 0xe8, 0xa3,
0x40, 0xfd, 0xa2, 0xc1, 0x6f, 0x41, 0x81, 0x85, 0x75, 0xc2, 0x4b, 0x79, 0x79, 0xc3, 0xc3, 0xc3,
0x6e, 0x7a, 0x75, 0x6a, 0xef, 0x23, 0xe1, 0xf3, 0x35, 0x0d, 0x6a, 0xdb, 0xa1, 0x7c, 0xb1, 0x78,
0x7a, 0xdd, 0x52, 0x85, 0x22, 0x54, 0xfd, 0x19, 0x98, 0xef, 0x7e, 0x38, 0x60, 0x0d, 0x00, 0x3b,
0xee, 0x55, 0x5e, 0xd2, 0x64, 0xdc, 0x8b, 0xef, 0x50, 0x59, 0x49, 0xa3, 0xa7, 0xcf, 0x66, 0x22,
0xe2, 0xa8, 0x03, 0x5b, 0x3f, 0x0f, 0x8e, 0xdd, 0x64, 0x5e, 0xe8, 0xab, 0x24, 0xe1, 0x32, 0xc8,
0xbb, 0xb8, 0x11, 0x3f, 0x41, 0xc9, 0xbb, 0xb8, 0x81, 0x1b, 0x04, 0x49, 0x8d, 0xfe, 0x14, 0x1c,
0xdf, 0x10, 0x05, 0xc3, 0xbd, 0x90, 0xd9, 0x24, 0x3d, 0x2b, 0xac, 0x80, 0x42, 0x93, 0xb0, 0x9d,
0x28, 0xdf, 0xa2, 0x55, 0x14, 0x27, 0x7d, 0x20, 0x04, 0x28, 0x92, 0xc3, 0xab, 0x60, 0xce, 0x4d,
0x3d, 0xef, 0xa3, 0x35, 0x5e, 0x9a, 0x90, 0xa6, 0x0b, 0xed, 0x56, 0x65, 0x6e, 0x23, 0xab, 0x42,
0xdd, 0xb6, 0xfa, 0x41, 0x0e, 0x2c, 0x0e, 0xa0, 0x16, 0x3e, 0x00, 0x53, 0x5c, 0x7d, 0x2b, 0xba,
0x4e, 0x0d, 0xa5, 0x4b, 0x39, 0xa7, 0xdd, 0x1d, 0xa3, 0xa1, 0x04, 0x0b, 0xfa, 0x60, 0x86, 0xa9,
0x1c, 0x64, 0x50, 0xd5, 0xe5, 0x9f, 0x0e, 0x05, 0xef, 0xe5, 0xc7, 0x3a, 0xae, 0xe2, 0xcc, 0xa0,
0x4e, 0x44, 0x94, 0x0d, 0x00, 0x9f, 0x81, 0xf9, 0x8e, 0x83, 0x47, 0x41, 0xc7, 0x65, 0xd0, 0x4b,
0x43, 0x83, 0xf6, 0xbd, 0x17, 0xab, 0xa4, 0xe2, 0xce, 0x6f, 0x74, 0xe1, 0xa2, 0x9e, 0x48, 0xfa,
0x1f, 0x39, 0x70, 0x48, 0xe3, 0xbf, 0x87, 0x41, 0x8e, 0x33, 0x83, 0xfc, 0xda, 0x11, 0x9e, 0xb4,
0x81, 0x83, 0x9d, 0x76, 0x0d, 0xf6, 0xd5, 0xa3, 0x04, 0x39, 0x7c, 0xd0, 0xff, 0x9d, 0x03, 0x1f,
0x0d, 0x76, 0x4e, 0x07, 0xff, 0xdd, 0xcc, 0xe0, 0xff, 0xbc, 0x6b, 0xf0, 0x9f, 0x1c, 0x01, 0xe2,
0xbf, 0x45, 0xa0, 0x6b, 0x11, 0x78, 0xa3, 0x81, 0xf2, 0x60, 0xde, 0xde, 0xc3, 0x62, 0xf0, 0x38,
0xbb, 0x18, 0x5c, 0x39, 0x42, 0x95, 0x0d, 0x58, 0x14, 0x6e, 0x1e, 0x56, 0x5c, 0xc9, 0x44, 0x1f,
0xe1, 0x49, 0xff, 0xe5, 0x50, 0xae, 0xe4, 0x06, 0x72, 0x35, 0x53, 0xa1, 0xa7, 0xbb, 0x2a, 0xf4,
0x83, 0x8c, 0xf7, 0x56, 0x48, 0x42, 0x42, 0x5d, 0xa7, 0xa3, 0x26, 0x1f, 0x81, 0xc9, 0xef, 0x42,
0x12, 0x52, 0xd7, 0x51, 0x9d, 0xfd, 0xd9, 0x50, 0x3a, 0xb6, 0x22, 0xfb, 0x2c, 0x11, 0xd3, 0xe2,
0xae, 0x95, 0x06, 0xc5, 0x90, 0xfa, 0x0b, 0x0d, 0x2c, 0x0f, 0xeb, 0x51, 0xf8, 0x7d, 0x9f, 0x99,
0x7a, 0x94, 0x95, 0x69, 0xf4, 0x19, 0xfb, 0x3c, 0x07, 0xfe, 0xdf, 0xef, 0x34, 0xf0, 0x11, 0x28,
0x61, 0xce, 0x43, 0x46, 0xaa, 0xd7, 0x3d, 0xd7, 0x0e, 0x99, 0xb8, 0xaf, 0xfd, 0xed, 0x1a, 0x66,
0x84, 0x4b, 0xa2, 0x0b, 0xd6, 0xb2, 0x82, 0x2e, 0xad, 0x0e, 0xb0, 0x43, 0x03, 0x11, 0x44, 0x53,
0x09, 0x82, 0x08, 0x57, 0xdb, 0x57, 0xd2, 0x54, 0xf2, 0x7e, 0x38, 0x52, 0x5a, 0x78, 0x16, 0x4c,
0xd5, 0xb0, 0x5b, 0xdd, 0xa6, 0x3f, 0x44, 0xad, 0x5e, 0x48, 0xcb, 0xfa, 0x96, 0x92, 0xa3, 0xc4,
0x02, 0xde, 0x00, 0xf3, 0xd2, 0x6f, 0x8d, 0xb8, 0x4e, 0x50, 0x5b, 0xa3, 0x0d, 0x1a, 0xc8, 0xa6,
0x2d, 0xa4, 0x73, 0x66, 0xab, 0x4b, 0x8f, 0x7a, 0x3c, 0xf4, 0x5f, 0x35, 0x00, 0xff, 0xcd, 0x0a,
0x71, 0x06, 0x14, 0xb1, 0x4f, 0xe5, 0xc6, 0x12, 0x35, 0x56, 0xd1, 0x9a, 0x69, 0xb7, 0x2a, 0xc5,
0xd5, 0xcd, 0xdb, 0x91, 0x10, 0xa5, 0x7a, 0x61, 0x1c, 0xcf, 0xd6, 0x68, 0x86, 0x2a, 0xe3, 0x38,
0x30, 0x47, 0xa9, 0x1e, 0x1a, 0x00, 0x88, 0x5e, 0xe0, 0x3e, 0xb6, 0xd5, 0xaa, 0x57, 0xb4, 0x66,
0xc5, 0xa5, 0x6e, 0x24, 0x52, 0xd4, 0x61, 0xa1, 0x3f, 0x01, 0xc7, 0xb7, 0x09, 0x6b, 0x52, 0x9b,
0xac, 0xda, 0xb6, 0x17, 0xba, 0x41, 0xbc, 0x41, 0x99, 0xa0, 0x98, 0x98, 0xa9, 0x76, 0xf9, 0x9f,
0x62, 0xa6, 0x98, 0x60, 0xa1, 0xd4, 0x26, 0xe9, 0xcf, 0xdc, 0xc0, 0xfe, 0xfc, 0x3d, 0x07, 0x26,
0x53, 0xf8, 0xfc, 0x1e, 0x75, 0xab, 0x0a, 0xf9, 0x44, 0x6c, 0x7d, 0x97, 0xba, 0xd5, 0xb7, 0xad,
0xca, 0xb4, 0x32, 0x13, 0xbf, 0x48, 0x1a, 0xc2, 0x3b, 0x20, 0x1f, 0x72, 0xc2, 0x54, 0xdf, 0x9d,
0x1d, 0x5a, 0xf1, 0xf7, 0x39, 0x61, 0xf1, 0x6a, 0x34, 0x25, 0xa0, 0x85, 0x00, 0x49, 0x0c, 0xb8,
0x01, 0x0a, 0x8e, 0xe0, 0x56, 0x8d, 0x84, 0x73, 0x43, 0xc1, 0x3a, 0x77, 0xcb, 0xe8, 0x3a, 0xa5,
0x04, 0x45, 0x30, 0x90, 0x81, 0x59, 0x9e, 0x21, 0x51, 0x96, 0xd2, 0x28, 0xab, 0x4e, 0x5f, 0xee,
0x2d, 0xd8, 0x6e, 0x55, 0x66, 0xb3, 0x2a, 0xd4, 0x15, 0x41, 0x37, 0xc1, 0x74, 0xc7, 0x11, 0x87,
0xbf, 0x8e, 0x96, 0xf1, 0xf2, 0xa0, 0x3c, 0xf6, 0xea, 0xa0, 0x3c, 0xf6, 0xfa, 0xa0, 0x3c, 0xf6,
0x63, 0xbb, 0xac, 0xbd, 0x6c, 0x97, 0xb5, 0x57, 0xed, 0xb2, 0xf6, 0xba, 0x5d, 0xd6, 0xde, 0xb4,
0xcb, 0xda, 0xf3, 0x3f, 0xcb, 0x63, 0x0f, 0xa7, 0xe2, 0xd4, 0xfe, 0x09, 0x00, 0x00, 0xff, 0xff,
0x94, 0x08, 0x88, 0x43, 0x92, 0x12, 0x00, 0x00,
}
func (m *FlowDistinguisherMethod) Marshal() (dAtA []byte, err error) {
@ -1584,6 +1580,15 @@ func (m *ResourcePolicyRule) MarshalToSizedBuffer(dAtA []byte) (int, error) {
_ = i
var l int
_ = l
if len(m.Namespaces) > 0 {
for iNdEx := len(m.Namespaces) - 1; iNdEx >= 0; iNdEx-- {
i -= len(m.Namespaces[iNdEx])
copy(dAtA[i:], m.Namespaces[iNdEx])
i = encodeVarintGenerated(dAtA, i, uint64(len(m.Namespaces[iNdEx])))
i--
dAtA[i] = 0x22
}
}
if len(m.Resources) > 0 {
for iNdEx := len(m.Resources) - 1; iNdEx >= 0; iNdEx-- {
i -= len(m.Resources[iNdEx])
@ -2063,6 +2068,12 @@ func (m *ResourcePolicyRule) Size() (n int) {
n += 1 + l + sovGenerated(uint64(l))
}
}
if len(m.Namespaces) > 0 {
for _, s := range m.Namespaces {
l = len(s)
n += 1 + l + sovGenerated(uint64(l))
}
}
return n
}
@ -2372,6 +2383,7 @@ func (this *ResourcePolicyRule) String() string {
`Verbs:` + fmt.Sprintf("%v", this.Verbs) + `,`,
`APIGroups:` + fmt.Sprintf("%v", this.APIGroups) + `,`,
`Resources:` + fmt.Sprintf("%v", this.Resources) + `,`,
`Namespaces:` + fmt.Sprintf("%v", this.Namespaces) + `,`,
`}`,
}, "")
return s
@ -4848,6 +4860,38 @@ func (m *ResourcePolicyRule) Unmarshal(dAtA []byte) error {
}
m.Resources = append(m.Resources, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
case 4:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field Namespaces", wireType)
}
var stringLen uint64
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowGenerated
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
stringLen |= uint64(b&0x7F) << shift
if b < 0x80 {
break
}
}
intStringLen := int(stringLen)
if intStringLen < 0 {
return ErrInvalidLengthGenerated
}
postIndex := iNdEx + intStringLen
if postIndex < 0 {
return ErrInvalidLengthGenerated
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
m.Namespaces = append(m.Namespaces, string(dAtA[iNdEx:postIndex]))
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipGenerated(dAtA[iNdEx:])

51
staging/src/k8s.io/api/flowcontrol/v1alpha1/generated.proto
View File

@ -349,30 +349,59 @@ message QueuingConfiguration {
optional int32 queueLengthLimit = 3;
}
// ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target
// resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member
// of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member
// of resources matches the request.
// ResourcePolicyRule is a predicate that matches some resource
// requests, testing the request's verb and the target resource. A
// ResourcePolicyRule matches a resource request if and only if: (a)
// at least one member of verbs matches the request, (b) at least one
// member of apiGroups matches the request, (c) at least one member of
// resources matches the request, and (d) least one member of
// namespaces matches the request.
message ResourcePolicyRule {
// `verbs` is a list of matching verbs and may not be empty.
// "*" matches all verbs. if it is present, it must be the only entry.
// "*" matches all verbs and, if present, must be the only entry.
// +listType=set
// Required.
repeated string verbs = 1;
// `apiGroups` is a list of matching API groups and may not be empty.
// "*" matches all api-groups. if it is present, it must be the only entry.
// "*" matches all API groups and, if present, must be the only entry.
// +listType=set
// Required.
repeated string apiGroups = 2;
// `resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.
// For example, [ "services", "nodes/status" ].
// This list may not be empty.
// "*" matches all resources. if it is present, it must be the only entry.
// +listType=set
// `resources` is a list of matching resources (i.e., lowercase
// and plural) with, if desired, subresource. For example, [
// "services", "nodes/status" ]. This list may not be empty.
// "*" matches all resources and, if present, must be the only entry.
// Required.
// +listType=set
repeated string resources = 3;
// `namespaces` is a list of target namespaces that restricts
// matches. A request that does not specify a target namespace
// (which happens both when the resource is not namespaced and
// when the resource is namespaced and the request is for all
// namespaces) matches only if this list includes "Cluster Scope"
// (this string is not a valid namespace and thus can not be
// confused with an actual namespace). A request that specifies a
// target namespace matches only if either (a) this list contains
// that target namespace or (b) this list contains "*".
//
// This list may not be omitted or empty. If the list contains
// "*" then the only other allowed member is "Cluster Scope".
// Without "*", it is allowed to list "Cluster Scope" along with
// particular namespaces.
//
// Requests will match only if the values in this list are
// appropriate for the resource(s) involved. For example: for a
// cluster scoped resource (i.e., one not namespaced) a request
// can match only if this list contains "Cluster Scope". It is
// entirely up to the client to populate this list with
// appropriate values; the server-performed validation does not
// (at least in this alpha) address this issue.
//
// +listType=set
repeated string namespaces = 4;
}
// ServiceAccountSubject holds detailed information for service-account-kind subject.

57
staging/src/k8s.io/api/flowcontrol/v1alpha1/types.go
View File

@ -26,8 +26,10 @@ const (
ResourceAll = "*"
VerbAll = "*"
NonResourceAll = "*"
NameAll = "*"
NameAll = "*"
NamespaceEvery = "*" // matches every particular namespace
NamespaceClusterScope = "Cluster Scope" // matches absence of namespace
)
// System preset priority level names
@ -210,28 +212,59 @@ type ServiceAccountSubject struct {
Name string `json:"name" protobuf:"bytes,2,opt,name=name"`
}
// ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target
// resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member
// of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member
// of resources matches the request.
// ResourcePolicyRule is a predicate that matches some resource
// requests, testing the request's verb and the target resource. A
// ResourcePolicyRule matches a resource request if and only if: (a)
// at least one member of verbs matches the request, (b) at least one
// member of apiGroups matches the request, (c) at least one member of
// resources matches the request, and (d) least one member of
// namespaces matches the request.
type ResourcePolicyRule struct {
// `verbs` is a list of matching verbs and may not be empty.
// "*" matches all verbs. if it is present, it must be the only entry.
// "*" matches all verbs and, if present, must be the only entry.
// +listType=set
// Required.
Verbs []string `json:"verbs" protobuf:"bytes,1,rep,name=verbs"`
// `apiGroups` is a list of matching API groups and may not be empty.
// "*" matches all api-groups. if it is present, it must be the only entry.
// "*" matches all API groups and, if present, must be the only entry.
// +listType=set
// Required.
APIGroups []string `json:"apiGroups" protobuf:"bytes,2,rep,name=apiGroups"`
// `resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource.
// For example, [ "services", "nodes/status" ].
// This list may not be empty.
// "*" matches all resources. if it is present, it must be the only entry.
// +listType=set
// `resources` is a list of matching resources (i.e., lowercase
// and plural) with, if desired, subresource. For example, [
// "services", "nodes/status" ]. This list may not be empty.
// "*" matches all resources and, if present, must be the only entry.
// Required.
// +listType=set
Resources []string `json:"resources" protobuf:"bytes,3,rep,name=resources"`
// `namespaces` is a list of target namespaces that restricts
// matches. A request that does not specify a target namespace
// (which happens both when the resource is not namespaced and
// when the resource is namespaced and the request is for all
// namespaces) matches only if this list includes "Cluster Scope"
// (this string is not a valid namespace and thus can not be
// confused with an actual namespace). A request that specifies a
// target namespace matches only if either (a) this list contains
// that target namespace or (b) this list contains "*".
//
// This list may not be omitted or empty. If the list contains
// "*" then the only other allowed member is "Cluster Scope".
// Without "*", it is allowed to list "Cluster Scope" along with
// particular namespaces.
//
// Requests will match only if the values in this list are
// appropriate for the resource(s) involved. For example: for a
// cluster scoped resource (i.e., one not namespaced) a request
// can match only if this list contains "Cluster Scope". It is
// entirely up to the client to populate this list with
// appropriate values; the server-performed validation does not
// (at least in this alpha) address this issue.
//
// +listType=set
Namespaces []string `json:"namespaces" protobuf:"bytes,4,rep,name=namespaces"`
}
// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the

9
staging/src/k8s.io/api/flowcontrol/v1alpha1/types_swagger_doc_generated.go generated
View File

@ -215,10 +215,11 @@ func (QueuingConfiguration) SwaggerDoc() map[string]string {
}
var map_ResourcePolicyRule = map[string]string{
"": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, and (c) at least one member of resources matches the request.",
"verbs": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs. if it is present, it must be the only entry. Required.",
"apiGroups": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all api-groups. if it is present, it must be the only entry. Required.",
"resources": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources. if it is present, it must be the only entry. Required.",
"": "ResourcePolicyRule is a predicate that matches some resource requests, testing the request's verb and the target resource. A ResourcePolicyRule matches a resource request if and only if: (a) at least one member of verbs matches the request, (b) at least one member of apiGroups matches the request, (c) at least one member of resources matches the request, and (d) least one member of namespaces matches the request.",
"verbs": "`verbs` is a list of matching verbs and may not be empty. \"*\" matches all verbs and, if present, must be the only entry. Required.",
"apiGroups": "`apiGroups` is a list of matching API groups and may not be empty. \"*\" matches all API groups and, if present, must be the only entry. Required.",
"resources": "`resources` is a list of matching resources (i.e., lowercase and plural) with, if desired, subresource. For example, [ \"services\", \"nodes/status\" ]. This list may not be empty. \"*\" matches all resources and, if present, must be the only entry. Required.",
"namespaces": "`namespaces` is a list of target namespaces that restricts matches. A request that does not specify a target namespace (which happens both when the resource is not namespaced and when the resource is namespaced and the request is for all namespaces) matches only if this list includes \"Cluster Scope\" (this string is not a valid namespace and thus can not be confused with an actual namespace). A request that specifies a target namespace matches only if either (a) this list contains that target namespace or (b) this list contains \"*\".\n\nThis list may not be omitted or empty. If the list contains \"*\" then the only other allowed member is \"Cluster Scope\". Without \"*\", it is allowed to list \"Cluster Scope\" along with particular namespaces.\n\nRequests will match only if the values in this list are appropriate for the resource(s) involved. For example: for a cluster scoped resource (i.e., one not namespaced) a request can match only if this list contains \"Cluster Scope\". It is entirely up to the client to populate this list with appropriate values; the server-performed validation does not (at least in this alpha) address this issue.",
}
func (ResourcePolicyRule) SwaggerDoc() map[string]string {

5
staging/src/k8s.io/api/flowcontrol/v1alpha1/zz_generated.deepcopy.go generated
View File

@ -459,6 +459,11 @@ func (in *ResourcePolicyRule) DeepCopyInto(out *ResourcePolicyRule) {
*out = make([]string, len(*in))
copy(*out, *in)
}
if in.Namespaces != nil {
in, out := &in.Namespaces, &out.Namespaces
*out = make([]string, len(*in))
copy(*out, *in)
}
return
}