diff --git a/staging/src/k8s.io/kubelet/config/v1/doc.go b/staging/src/k8s.io/kubelet/config/v1/doc.go new file mode 100644 index 00000000000..5644377d6c8 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/doc.go @@ -0,0 +1,21 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:openapi-gen=true +// +groupName=kubelet.config.k8s.io + +package v1beta1 // import "k8s.io/kubelet/config/v1beta1" diff --git a/staging/src/k8s.io/kubelet/config/v1/register.go b/staging/src/k8s.io/kubelet/config/v1/register.go new file mode 100644 index 00000000000..22bdfbb4cba --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/register.go @@ -0,0 +1,45 @@ +/* +Copyright 2018 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name used in this package +const GroupName = "kubelet.config.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} + +var ( + // SchemeBuilder is the scheme builder with scheme init functions to run for this API package + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + // AddToScheme is a global function that registers this API group & version to a scheme + AddToScheme = SchemeBuilder.AddToScheme +) + +// addKnownTypes registers known types to the given scheme +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &KubeletConfiguration{}, + &SerializedNodeConfigSource{}, + &CredentialProviderConfig{}, + ) + return nil +} diff --git a/staging/src/k8s.io/kubelet/config/v1/register_test.go b/staging/src/k8s.io/kubelet/config/v1/register_test.go new file mode 100644 index 00000000000..7e45b544602 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/register_test.go @@ -0,0 +1,36 @@ +/* +Copyright 2020 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + "testing" + + componentconfigtesting "k8s.io/component-base/config/testing" +) + +func TestComponentConfigSetup(t *testing.T) { + pkginfo := &componentconfigtesting.ComponentConfigPackage{ + ComponentName: "kubelet", + GroupName: GroupName, + SchemeGroupVersion: SchemeGroupVersion, + AddToScheme: AddToScheme, + } + + if err := componentconfigtesting.VerifyExternalTypePackage(pkginfo); err != nil { + t.Fatal(err) + } +} diff --git a/staging/src/k8s.io/kubelet/config/v1/types.go b/staging/src/k8s.io/kubelet/config/v1/types.go new file mode 100644 index 00000000000..2504f2aa253 --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/types.go @@ -0,0 +1,967 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + v1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + logsapi "k8s.io/component-base/logs/api/v1" +) + +// HairpinMode denotes how the kubelet should configure networking to handle +// hairpin packets. +type HairpinMode string + +// Enum settings for different ways to handle hairpin packets. +const ( + // Set the hairpin flag on the veth of containers in the respective + // container runtime. + HairpinVeth = "hairpin-veth" + // Make the container bridge promiscuous. This will force it to accept + // hairpin packets, even if the flag isn't set on ports of the bridge. + PromiscuousBridge = "promiscuous-bridge" + // Neither of the above. If the kubelet is started in this hairpin mode + // and kube-proxy is running in iptables mode, hairpin packets will be + // dropped by the container bridge. + HairpinNone = "none" +) + +// ResourceChangeDetectionStrategy denotes a mode in which internal +// managers (secret, configmap) are discovering object changes. +type ResourceChangeDetectionStrategy string + +// Enum settings for different strategies of kubelet managers. +const ( + // GetChangeDetectionStrategy is a mode in which kubelet fetches + // necessary objects directly from apiserver. + GetChangeDetectionStrategy ResourceChangeDetectionStrategy = "Get" + // TTLCacheChangeDetectionStrategy is a mode in which kubelet uses + // ttl cache for object directly fetched from apiserver. + TTLCacheChangeDetectionStrategy ResourceChangeDetectionStrategy = "Cache" + // WatchChangeDetectionStrategy is a mode in which kubelet uses + // watches to observe changes to objects that are in its interest. + WatchChangeDetectionStrategy ResourceChangeDetectionStrategy = "Watch" + // RestrictedTopologyManagerPolicy is a mode in which kubelet only allows + // pods with optimal NUMA node alignment for requested resources + RestrictedTopologyManagerPolicy = "restricted" + // BestEffortTopologyManagerPolicy is a mode in which kubelet will favour + // pods with NUMA alignment of CPU and device resources. + BestEffortTopologyManagerPolicy = "best-effort" + // NoneTopologyManagerPolicy is a mode in which kubelet has no knowledge + // of NUMA alignment of a pod's CPU and device resources. + NoneTopologyManagerPolicy = "none" + // SingleNumaNodeTopologyManagerPolicy is a mode in which kubelet only allows + // pods with a single NUMA alignment of CPU and device resources. + SingleNumaNodeTopologyManagerPolicy = "single-numa-node" + // ContainerTopologyManagerScope represents that + // topology policy is applied on a per-container basis. + ContainerTopologyManagerScope = "container" + // PodTopologyManagerScope represents that + // topology policy is applied on a per-pod basis. + PodTopologyManagerScope = "pod" + // NoneMemoryManagerPolicy is a memory manager none policy, under the none policy + // the memory manager will not pin containers memory of guaranteed pods + NoneMemoryManagerPolicy = "None" + // StaticMemoryManagerPolicy is a memory manager static policy, under the static policy + // the memory manager will try to pin containers memory of guaranteed pods to the smallest + // possible sub-set of NUMA nodes + StaticMemoryManagerPolicy = "Static" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// KubeletConfiguration contains the configuration for the Kubelet +type KubeletConfiguration struct { + metav1.TypeMeta `json:",inline"` + + // enableServer enables Kubelet's secured server. + // Note: Kubelet's insecure port is controlled by the readOnlyPort option. + // Default: true + EnableServer *bool `json:"enableServer,omitempty"` + // staticPodPath is the path to the directory containing local (static) pods to + // run, or the path to a single static pod file. + // Default: "" + // +optional + StaticPodPath string `json:"staticPodPath,omitempty"` + // syncFrequency is the max period between synchronizing running + // containers and config. + // Default: "1m" + // +optional + SyncFrequency metav1.Duration `json:"syncFrequency,omitempty"` + // fileCheckFrequency is the duration between checking config files for + // new data. + // Default: "20s" + // +optional + FileCheckFrequency metav1.Duration `json:"fileCheckFrequency,omitempty"` + // httpCheckFrequency is the duration between checking http for new data. + // Default: "20s" + // +optional + HTTPCheckFrequency metav1.Duration `json:"httpCheckFrequency,omitempty"` + // staticPodURL is the URL for accessing static pods to run. + // Default: "" + // +optional + StaticPodURL string `json:"staticPodURL,omitempty"` + // staticPodURLHeader is a map of slices with HTTP headers to use when accessing the podURL. + // Default: nil + // +optional + StaticPodURLHeader map[string][]string `json:"staticPodURLHeader,omitempty"` + // address is the IP address for the Kubelet to serve on (set to 0.0.0.0 + // for all interfaces). + // Default: "0.0.0.0" + // +optional + Address string `json:"address,omitempty"` + // port is the port for the Kubelet to serve on. + // The port number must be between 1 and 65535, inclusive. + // Default: 10250 + // +optional + Port int32 `json:"port,omitempty"` + // readOnlyPort is the read-only port for the Kubelet to serve on with + // no authentication/authorization. + // The port number must be between 1 and 65535, inclusive. + // Setting this field to 0 disables the read-only service. + // Default: 0 (disabled) + // +optional + ReadOnlyPort int32 `json:"readOnlyPort,omitempty"` + // tlsCertFile is the file containing x509 Certificate for HTTPS. (CA cert, + // if any, concatenated after server cert). If tlsCertFile and + // tlsPrivateKeyFile are not provided, a self-signed certificate + // and key are generated for the public address and saved to the directory + // passed to the Kubelet's --cert-dir flag. + // Default: "" + // +optional + TLSCertFile string `json:"tlsCertFile,omitempty"` + // tlsPrivateKeyFile is the file containing x509 private key matching tlsCertFile. + // Default: "" + // +optional + TLSPrivateKeyFile string `json:"tlsPrivateKeyFile,omitempty"` + // tlsCipherSuites is the list of allowed cipher suites for the server. + // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + // Default: nil + // +optional + TLSCipherSuites []string `json:"tlsCipherSuites,omitempty"` + // tlsMinVersion is the minimum TLS version supported. + // Values are from tls package constants (https://golang.org/pkg/crypto/tls/#pkg-constants). + // Default: "" + // +optional + TLSMinVersion string `json:"tlsMinVersion,omitempty"` + // rotateCertificates enables client certificate rotation. The Kubelet will request a + // new certificate from the certificates.k8s.io API. This requires an approver to approve the + // certificate signing requests. + // Default: false + // +optional + RotateCertificates bool `json:"rotateCertificates,omitempty"` + // serverTLSBootstrap enables server certificate bootstrap. Instead of self + // signing a serving certificate, the Kubelet will request a certificate from + // the 'certificates.k8s.io' API. This requires an approver to approve the + // certificate signing requests (CSR). The RotateKubeletServerCertificate feature + // must be enabled when setting this field. + // Default: false + // +optional + ServerTLSBootstrap bool `json:"serverTLSBootstrap,omitempty"` + // authentication specifies how requests to the Kubelet's server are authenticated. + // Defaults: + // anonymous: + // enabled: false + // webhook: + // enabled: true + // cacheTTL: "2m" + // +optional + Authentication KubeletAuthentication `json:"authentication"` + // authorization specifies how requests to the Kubelet's server are authorized. + // Defaults: + // mode: Webhook + // webhook: + // cacheAuthorizedTTL: "5m" + // cacheUnauthorizedTTL: "30s" + // +optional + Authorization KubeletAuthorization `json:"authorization"` + // registryPullQPS is the limit of registry pulls per second. + // The value must not be a negative number. + // Setting it to 0 means no limit. + // Default: 5 + // +optional + RegistryPullQPS *int32 `json:"registryPullQPS,omitempty"` + // registryBurst is the maximum size of bursty pulls, temporarily allows + // pulls to burst to this number, while still not exceeding registryPullQPS. + // The value must not be a negative number. + // Only used if registryPullQPS is greater than 0. + // Default: 10 + // +optional + RegistryBurst int32 `json:"registryBurst,omitempty"` + // eventRecordQPS is the maximum event creations per second. If 0, there + // is no limit enforced. The value cannot be a negative number. + // Default: 5 + // +optional + EventRecordQPS *int32 `json:"eventRecordQPS,omitempty"` + // eventBurst is the maximum size of a burst of event creations, temporarily + // allows event creations to burst to this number, while still not exceeding + // eventRecordQPS. This field canot be a negative number and it is only used + // when eventRecordQPS > 0. + // Default: 10 + // +optional + EventBurst int32 `json:"eventBurst,omitempty"` + // enableDebuggingHandlers enables server endpoints for log access + // and local running of containers and commands, including the exec, + // attach, logs, and portforward features. + // Default: true + // +optional + EnableDebuggingHandlers *bool `json:"enableDebuggingHandlers,omitempty"` + // enableContentionProfiling enables lock contention profiling, if enableDebuggingHandlers is true. + // Default: false + // +optional + EnableContentionProfiling bool `json:"enableContentionProfiling,omitempty"` + // healthzPort is the port of the localhost healthz endpoint (set to 0 to disable). + // A valid number is between 1 and 65535. + // Default: 10248 + // +optional + HealthzPort *int32 `json:"healthzPort,omitempty"` + // healthzBindAddress is the IP address for the healthz server to serve on. + // Default: "127.0.0.1" + // +optional + HealthzBindAddress string `json:"healthzBindAddress,omitempty"` + // oomScoreAdj is The oom-score-adj value for kubelet process. Values + // must be within the range [-1000, 1000]. + // Default: -999 + // +optional + OOMScoreAdj *int32 `json:"oomScoreAdj,omitempty"` + // clusterDomain is the DNS domain for this cluster. If set, kubelet will + // configure all containers to search this domain in addition to the + // host's search domains. + // Default: "" + // +optional + ClusterDomain string `json:"clusterDomain,omitempty"` + // clusterDNS is a list of IP addresses for the cluster DNS server. If set, + // kubelet will configure all containers to use this for DNS resolution + // instead of the host's DNS servers. + // Default: nil + // +optional + ClusterDNS []string `json:"clusterDNS,omitempty"` + // streamingConnectionIdleTimeout is the maximum time a streaming connection + // can be idle before the connection is automatically closed. + // Default: "4h" + // +optional + StreamingConnectionIdleTimeout metav1.Duration `json:"streamingConnectionIdleTimeout,omitempty"` + // nodeStatusUpdateFrequency is the frequency that kubelet computes node + // status. If node lease feature is not enabled, it is also the frequency that + // kubelet posts node status to master. + // Note: When node lease feature is not enabled, be cautious when changing the + // constant, it must work with nodeMonitorGracePeriod in nodecontroller. + // Default: "10s" + // +optional + NodeStatusUpdateFrequency metav1.Duration `json:"nodeStatusUpdateFrequency,omitempty"` + // nodeStatusReportFrequency is the frequency that kubelet posts node + // status to master if node status does not change. Kubelet will ignore this + // frequency and post node status immediately if any change is detected. It is + // only used when node lease feature is enabled. nodeStatusReportFrequency's + // default value is 5m. But if nodeStatusUpdateFrequency is set explicitly, + // nodeStatusReportFrequency's default value will be set to + // nodeStatusUpdateFrequency for backward compatibility. + // Default: "5m" + // +optional + NodeStatusReportFrequency metav1.Duration `json:"nodeStatusReportFrequency,omitempty"` + // nodeLeaseDurationSeconds is the duration the Kubelet will set on its corresponding Lease. + // NodeLease provides an indicator of node health by having the Kubelet create and + // periodically renew a lease, named after the node, in the kube-node-lease namespace. + // If the lease expires, the node can be considered unhealthy. + // The lease is currently renewed every 10s, per KEP-0009. In the future, the lease renewal + // interval may be set based on the lease duration. + // The field value must be greater than 0. + // Default: 40 + // +optional + NodeLeaseDurationSeconds int32 `json:"nodeLeaseDurationSeconds,omitempty"` + // imageMinimumGCAge is the minimum age for an unused image before it is + // garbage collected. + // Default: "2m" + // +optional + ImageMinimumGCAge metav1.Duration `json:"imageMinimumGCAge,omitempty"` + // imageGCHighThresholdPercent is the percent of disk usage after which + // image garbage collection is always run. The percent is calculated by + // dividing this field value by 100, so this field must be between 0 and + // 100, inclusive. When specified, the value must be greater than + // imageGCLowThresholdPercent. + // Default: 85 + // +optional + ImageGCHighThresholdPercent *int32 `json:"imageGCHighThresholdPercent,omitempty"` + // imageGCLowThresholdPercent is the percent of disk usage before which + // image garbage collection is never run. Lowest disk usage to garbage + // collect to. The percent is calculated by dividing this field value by 100, + // so the field value must be between 0 and 100, inclusive. When specified, the + // value must be less than imageGCHighThresholdPercent. + // Default: 80 + // +optional + ImageGCLowThresholdPercent *int32 `json:"imageGCLowThresholdPercent,omitempty"` + // volumeStatsAggPeriod is the frequency for calculating and caching volume + // disk usage for all pods. + // Default: "1m" + // +optional + VolumeStatsAggPeriod metav1.Duration `json:"volumeStatsAggPeriod,omitempty"` + // kubeletCgroups is the absolute name of cgroups to isolate the kubelet in + // Default: "" + // +optional + KubeletCgroups string `json:"kubeletCgroups,omitempty"` + // systemCgroups is absolute name of cgroups in which to place + // all non-kernel processes that are not already in a container. Empty + // for no container. Rolling back the flag requires a reboot. + // The cgroupRoot must be specified if this field is not empty. + // Default: "" + // +optional + SystemCgroups string `json:"systemCgroups,omitempty"` + // cgroupRoot is the root cgroup to use for pods. This is handled by the + // container runtime on a best effort basis. + // +optional + CgroupRoot string `json:"cgroupRoot,omitempty"` + // cgroupsPerQOS enable QoS based CGroup hierarchy: top level CGroups for QoS classes + // and all Burstable and BestEffort Pods are brought up under their specific top level + // QoS CGroup. + // Default: true + // +optional + CgroupsPerQOS *bool `json:"cgroupsPerQOS,omitempty"` + // cgroupDriver is the driver kubelet uses to manipulate CGroups on the host (cgroupfs + // or systemd). + // Default: "cgroupfs" + // +optional + CgroupDriver string `json:"cgroupDriver,omitempty"` + // cpuManagerPolicy is the name of the policy to use. + // Requires the CPUManager feature gate to be enabled. + // Default: "None" + // +optional + CPUManagerPolicy string `json:"cpuManagerPolicy,omitempty"` + // cpuManagerPolicyOptions is a set of key=value which allows to set extra options + // to fine tune the behaviour of the cpu manager policies. + // Requires both the "CPUManager" and "CPUManagerPolicyOptions" feature gates to be enabled. + // Default: nil + // +optional + CPUManagerPolicyOptions map[string]string `json:"cpuManagerPolicyOptions,omitempty"` + // cpuManagerReconcilePeriod is the reconciliation period for the CPU Manager. + // Requires the CPUManager feature gate to be enabled. + // Default: "10s" + // +optional + CPUManagerReconcilePeriod metav1.Duration `json:"cpuManagerReconcilePeriod,omitempty"` + // memoryManagerPolicy is the name of the policy to use by memory manager. + // Requires the MemoryManager feature gate to be enabled. + // Default: "none" + // +optional + MemoryManagerPolicy string `json:"memoryManagerPolicy,omitempty"` + // topologyManagerPolicy is the name of the topology manager policy to use. + // Valid values include: + // + // - `restricted`: kubelet only allows pods with optimal NUMA node alignment for + // requested resources; + // - `best-effort`: kubelet will favor pods with NUMA alignment of CPU and device + // resources; + // - `none`: kubelet has no knowledge of NUMA alignment of a pod's CPU and device resources. + // - `single-numa-node`: kubelet only allows pods with a single NUMA alignment + // of CPU and device resources. + // + // Policies other than "none" require the TopologyManager feature gate to be enabled. + // Default: "none" + // +optional + TopologyManagerPolicy string `json:"topologyManagerPolicy,omitempty"` + // topologyManagerScope represents the scope of topology hint generation + // that topology manager requests and hint providers generate. Valid values include: + // + // - `container`: topology policy is applied on a per-container basis. + // - `pod`: topology policy is applied on a per-pod basis. + // + // "pod" scope requires the TopologyManager feature gate to be enabled. + // Default: "container" + // +optional + TopologyManagerScope string `json:"topologyManagerScope,omitempty"` + // qosReserved is a set of resource name to percentage pairs that specify + // the minimum percentage of a resource reserved for exclusive use by the + // guaranteed QoS tier. + // Currently supported resources: "memory" + // Requires the QOSReserved feature gate to be enabled. + // Default: nil + // +optional + QOSReserved map[string]string `json:"qosReserved,omitempty"` + // runtimeRequestTimeout is the timeout for all runtime requests except long running + // requests - pull, logs, exec and attach. + // Default: "2m" + // +optional + RuntimeRequestTimeout metav1.Duration `json:"runtimeRequestTimeout,omitempty"` + // hairpinMode specifies how the Kubelet should configure the container + // bridge for hairpin packets. + // Setting this flag allows endpoints in a Service to loadbalance back to + // themselves if they should try to access their own Service. Values: + // + // - "promiscuous-bridge": make the container bridge promiscuous. + // - "hairpin-veth": set the hairpin flag on container veth interfaces. + // - "none": do nothing. + // + // Generally, one must set `--hairpin-mode=hairpin-veth to` achieve hairpin NAT, + // because promiscuous-bridge assumes the existence of a container bridge named cbr0. + // Default: "promiscuous-bridge" + // +optional + HairpinMode string `json:"hairpinMode,omitempty"` + // maxPods is the maximum number of Pods that can run on this Kubelet. + // The value must be a non-negative integer. + // Default: 110 + // +optional + MaxPods int32 `json:"maxPods,omitempty"` + // podCIDR is the CIDR to use for pod IP addresses, only used in standalone mode. + // In cluster mode, this is obtained from the control plane. + // Default: "" + // +optional + PodCIDR string `json:"podCIDR,omitempty"` + // podPidsLimit is the maximum number of PIDs in any pod. + // Default: -1 + // +optional + PodPidsLimit *int64 `json:"podPidsLimit,omitempty"` + // resolvConf is the resolver configuration file used as the basis + // for the container DNS resolution configuration. + // If set to the empty string, will override the default and effectively disable DNS lookups. + // Default: "/etc/resolv.conf" + // +optional + ResolverConfig *string `json:"resolvConf,omitempty"` + // runOnce causes the Kubelet to check the API server once for pods, + // run those in addition to the pods specified by static pod files, and exit. + // Default: false + // +optional + RunOnce bool `json:"runOnce,omitempty"` + // cpuCFSQuota enables CPU CFS quota enforcement for containers that + // specify CPU limits. + // Default: true + // +optional + CPUCFSQuota *bool `json:"cpuCFSQuota,omitempty"` + // cpuCFSQuotaPeriod is the CPU CFS quota period value, `cpu.cfs_period_us`. + // The value must be between 1 us and 1 second, inclusive. + // Requires the CustomCPUCFSQuotaPeriod feature gate to be enabled. + // Default: "100ms" + // +optional + CPUCFSQuotaPeriod *metav1.Duration `json:"cpuCFSQuotaPeriod,omitempty"` + // nodeStatusMaxImages caps the number of images reported in Node.status.images. + // The value must be greater than -2. + // Note: If -1 is specified, no cap will be applied. If 0 is specified, no image is returned. + // Default: 50 + // +optional + NodeStatusMaxImages *int32 `json:"nodeStatusMaxImages,omitempty"` + // maxOpenFiles is Number of files that can be opened by Kubelet process. + // The value must be a non-negative number. + // Default: 1000000 + // +optional + MaxOpenFiles int64 `json:"maxOpenFiles,omitempty"` + // contentType is contentType of requests sent to apiserver. + // Default: "application/vnd.kubernetes.protobuf" + // +optional + ContentType string `json:"contentType,omitempty"` + // kubeAPIQPS is the QPS to use while talking with kubernetes apiserver. + // Default: 5 + // +optional + KubeAPIQPS *int32 `json:"kubeAPIQPS,omitempty"` + // kubeAPIBurst is the burst to allow while talking with kubernetes API server. + // This field cannot be a negative number. + // Default: 10 + // +optional + KubeAPIBurst int32 `json:"kubeAPIBurst,omitempty"` + // serializeImagePulls when enabled, tells the Kubelet to pull images one + // at a time. We recommend *not* changing the default value on nodes that + // run docker daemon with version < 1.9 or an Aufs storage backend. + // Issue #10959 has more details. + // Default: true + // +optional + SerializeImagePulls *bool `json:"serializeImagePulls,omitempty"` + // evictionHard is a map of signal names to quantities that defines hard eviction + // thresholds. For example: `{"memory.available": "300Mi"}`. + // To explicitly disable, pass a 0% or 100% threshold on an arbitrary resource. + // Default: + // memory.available: "100Mi" + // nodefs.available: "10%" + // nodefs.inodesFree: "5%" + // imagefs.available: "15%" + // +optional + EvictionHard map[string]string `json:"evictionHard,omitempty"` + // evictionSoft is a map of signal names to quantities that defines soft eviction thresholds. + // For example: `{"memory.available": "300Mi"}`. + // Default: nil + // +optional + EvictionSoft map[string]string `json:"evictionSoft,omitempty"` + // evictionSoftGracePeriod is a map of signal names to quantities that defines grace + // periods for each soft eviction signal. For example: `{"memory.available": "30s"}`. + // Default: nil + // +optional + EvictionSoftGracePeriod map[string]string `json:"evictionSoftGracePeriod,omitempty"` + // evictionPressureTransitionPeriod is the duration for which the kubelet has to wait + // before transitioning out of an eviction pressure condition. + // Default: "5m" + // +optional + EvictionPressureTransitionPeriod metav1.Duration `json:"evictionPressureTransitionPeriod,omitempty"` + // evictionMaxPodGracePeriod is the maximum allowed grace period (in seconds) to use + // when terminating pods in response to a soft eviction threshold being met. This value + // effectively caps the Pod's terminationGracePeriodSeconds value during soft evictions. + // Note: Due to issue #64530, the behavior has a bug where this value currently just + // overrides the grace period during soft eviction, which can increase the grace + // period from what is set on the Pod. This bug will be fixed in a future release. + // Default: 0 + // +optional + EvictionMaxPodGracePeriod int32 `json:"evictionMaxPodGracePeriod,omitempty"` + // evictionMinimumReclaim is a map of signal names to quantities that defines minimum reclaims, + // which describe the minimum amount of a given resource the kubelet will reclaim when + // performing a pod eviction while that resource is under pressure. + // For example: `{"imagefs.available": "2Gi"}`. + // Default: nil + // +optional + EvictionMinimumReclaim map[string]string `json:"evictionMinimumReclaim,omitempty"` + // podsPerCore is the maximum number of pods per core. Cannot exceed maxPods. + // The value must be a non-negative integer. + // If 0, there is no limit on the number of Pods. + // Default: 0 + // +optional + PodsPerCore int32 `json:"podsPerCore,omitempty"` + // enableControllerAttachDetach enables the Attach/Detach controller to + // manage attachment/detachment of volumes scheduled to this node, and + // disables kubelet from executing any attach/detach operations. + // Note: attaching/detaching CSI volumes is not supported by the kubelet, + // so this option needs to be true for that use case. + // Default: true + // +optional + EnableControllerAttachDetach *bool `json:"enableControllerAttachDetach,omitempty"` + // protectKernelDefaults, if true, causes the Kubelet to error if kernel + // flags are not as it expects. Otherwise the Kubelet will attempt to modify + // kernel flags to match its expectation. + // Default: false + // +optional + ProtectKernelDefaults bool `json:"protectKernelDefaults,omitempty"` + // makeIPTablesUtilChains, if true, causes the Kubelet ensures a set of iptables rules + // are present on host. + // These rules will serve as utility rules for various components, e.g. kube-proxy. + // The rules will be created based on iptablesMasqueradeBit and iptablesDropBit. + // Default: true + // +optional + MakeIPTablesUtilChains *bool `json:"makeIPTablesUtilChains,omitempty"` + // iptablesMasqueradeBit is the bit of the iptables fwmark space to mark for SNAT. + // Values must be within the range [0, 31]. Must be different from other mark bits. + // Warning: Please match the value of the corresponding parameter in kube-proxy. + // TODO: clean up IPTablesMasqueradeBit in kube-proxy. + // Default: 14 + // +optional + IPTablesMasqueradeBit *int32 `json:"iptablesMasqueradeBit,omitempty"` + // iptablesDropBit is the bit of the iptables fwmark space to mark for dropping packets. + // Values must be within the range [0, 31]. Must be different from other mark bits. + // Default: 15 + // +optional + IPTablesDropBit *int32 `json:"iptablesDropBit,omitempty"` + // featureGates is a map of feature names to bools that enable or disable experimental + // features. This field modifies piecemeal the built-in default values from + // "k8s.io/kubernetes/pkg/features/kube_features.go". + // Default: nil + // +optional + FeatureGates map[string]bool `json:"featureGates,omitempty"` + // failSwapOn tells the Kubelet to fail to start if swap is enabled on the node. + // Default: true + // +optional + FailSwapOn *bool `json:"failSwapOn,omitempty"` + // memorySwap configures swap memory available to container workloads. + // +featureGate=NodeSwap + // +optional + MemorySwap MemorySwapConfiguration `json:"memorySwap,omitempty"` + // containerLogMaxSize is a quantity defining the maximum size of the container log + // file before it is rotated. For example: "5Mi" or "256Ki". + // Default: "10Mi" + // +optional + ContainerLogMaxSize string `json:"containerLogMaxSize,omitempty"` + // containerLogMaxFiles specifies the maximum number of container log files that can + // be present for a container. + // Default: 5 + // +optional + ContainerLogMaxFiles *int32 `json:"containerLogMaxFiles,omitempty"` + // configMapAndSecretChangeDetectionStrategy is a mode in which ConfigMap and Secret + // managers are running. Valid values include: + // + // - `Get`: kubelet fetches necessary objects directly from the API server; + // - `Cache`: kubelet uses TTL cache for object fetched from the API server; + // - `Watch`: kubelet uses watches to observe changes to objects that are in its interest. + // + // Default: "Watch" + // +optional + ConfigMapAndSecretChangeDetectionStrategy ResourceChangeDetectionStrategy `json:"configMapAndSecretChangeDetectionStrategy,omitempty"` + + /* the following fields are meant for Node Allocatable */ + + // systemReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) + // pairs that describe resources reserved for non-kubernetes components. + // Currently only cpu and memory are supported. + // See http://kubernetes.io/docs/user-guide/compute-resources for more detail. + // Default: nil + // +optional + SystemReserved map[string]string `json:"systemReserved,omitempty"` + // kubeReserved is a set of ResourceName=ResourceQuantity (e.g. cpu=200m,memory=150G) pairs + // that describe resources reserved for kubernetes system components. + // Currently cpu, memory and local storage for root file system are supported. + // See https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + // for more details. + // Default: nil + // +optional + KubeReserved map[string]string `json:"kubeReserved,omitempty"` + // The reservedSystemCPUs option specifies the CPU list reserved for the host + // level system threads and kubernetes related threads. This provide a "static" + // CPU list rather than the "dynamic" list by systemReserved and kubeReserved. + // This option does not support systemReservedCgroup or kubeReservedCgroup. + ReservedSystemCPUs string `json:"reservedSystemCPUs,omitempty"` + // showHiddenMetricsForVersion is the previous version for which you want to show + // hidden metrics. + // Only the previous minor version is meaningful, other values will not be allowed. + // The format is `.`, e.g.: `1.16`. + // The purpose of this format is make sure you have the opportunity to notice + // if the next release hides additional metrics, rather than being surprised + // when they are permanently removed in the release after that. + // Default: "" + // +optional + ShowHiddenMetricsForVersion string `json:"showHiddenMetricsForVersion,omitempty"` + // systemReservedCgroup helps the kubelet identify absolute name of top level CGroup used + // to enforce `systemReserved` compute resource reservation for OS system daemons. + // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) + // doc for more information. + // Default: "" + // +optional + SystemReservedCgroup string `json:"systemReservedCgroup,omitempty"` + // kubeReservedCgroup helps the kubelet identify absolute name of top level CGroup used + // to enforce `KubeReserved` compute resource reservation for Kubernetes node system daemons. + // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) + // doc for more information. + // Default: "" + // +optional + KubeReservedCgroup string `json:"kubeReservedCgroup,omitempty"` + // This flag specifies the various Node Allocatable enforcements that Kubelet needs to perform. + // This flag accepts a list of options. Acceptable options are `none`, `pods`, + // `system-reserved` and `kube-reserved`. + // If `none` is specified, no other options may be specified. + // When `system-reserved` is in the list, systemReservedCgroup must be specified. + // When `kube-reserved` is in the list, kubeReservedCgroup must be specified. + // This field is supported only when `cgroupsPerQOS` is set to true. + // Refer to [Node Allocatable](https://git.k8s.io/community/contributors/design-proposals/node/node-allocatable.md) + // for more information. + // Default: ["pods"] + // +optional + EnforceNodeAllocatable []string `json:"enforceNodeAllocatable,omitempty"` + // A comma separated whitelist of unsafe sysctls or sysctl patterns (ending in `*`). + // Unsafe sysctl groups are `kernel.shm*`, `kernel.msg*`, `kernel.sem`, `fs.mqueue.*`, + // and `net.*`. For example: "`kernel.msg*,net.ipv4.route.min_pmtu`" + // Default: [] + // +optional + AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty"` + // volumePluginDir is the full path of the directory in which to search + // for additional third party volume plugins. + // Default: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/" + // +optional + VolumePluginDir string `json:"volumePluginDir,omitempty"` + // providerID, if set, sets the unique ID of the instance that an external + // provider (i.e. cloudprovider) can use to identify a specific node. + // Default: "" + // +optional + ProviderID string `json:"providerID,omitempty"` + // kernelMemcgNotification, if set, instructs the kubelet to integrate with the + // kernel memcg notification for determining if memory eviction thresholds are + // exceeded rather than polling. + // Default: false + // +optional + KernelMemcgNotification bool `json:"kernelMemcgNotification,omitempty"` + // logging specifies the options of logging. + // Refer to [Logs Options](https://github.com/kubernetes/component-base/blob/master/logs/options.go) + // for more information. + // Default: + // Format: text + // + optional + Logging logsapi.LoggingConfiguration `json:"logging,omitempty"` + // enableSystemLogHandler enables system logs via web interface host:port/logs/ + // Default: true + // +optional + EnableSystemLogHandler *bool `json:"enableSystemLogHandler,omitempty"` + // shutdownGracePeriod specifies the total duration that the node should delay the + // shutdown and total grace period for pod termination during a node shutdown. + // Default: "0s" + // +featureGate=GracefulNodeShutdown + // +optional + ShutdownGracePeriod metav1.Duration `json:"shutdownGracePeriod,omitempty"` + // shutdownGracePeriodCriticalPods specifies the duration used to terminate critical + // pods during a node shutdown. This should be less than shutdownGracePeriod. + // For example, if shutdownGracePeriod=30s, and shutdownGracePeriodCriticalPods=10s, + // during a node shutdown the first 20 seconds would be reserved for gracefully + // terminating normal pods, and the last 10 seconds would be reserved for terminating + // critical pods. + // Default: "0s" + // +featureGate=GracefulNodeShutdown + // +optional + ShutdownGracePeriodCriticalPods metav1.Duration `json:"shutdownGracePeriodCriticalPods,omitempty"` + // shutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based + // on their associated priority class value. + // When a shutdown request is received, the Kubelet will initiate shutdown on all pods + // running on the node with a grace period that depends on the priority of the pod, + // and then wait for all pods to exit. + // Each entry in the array represents the graceful shutdown time a pod with a priority + // class value that lies in the range of that value and the next higher entry in the + // list when the node is shutting down. + // For example, to allow critical pods 10s to shutdown, priority>=10000 pods 20s to + // shutdown, and all remaining pods 30s to shutdown. + // + // shutdownGracePeriodByPodPriority: + // - priority: 2000000000 + // shutdownGracePeriodSeconds: 10 + // - priority: 10000 + // shutdownGracePeriodSeconds: 20 + // - priority: 0 + // shutdownGracePeriodSeconds: 30 + // + // The time the Kubelet will wait before exiting will at most be the maximum of all + // shutdownGracePeriodSeconds for each priority class range represented on the node. + // When all pods have exited or reached their grace periods, the Kubelet will release + // the shutdown inhibit lock. + // Requires the GracefulNodeShutdown feature gate to be enabled. + // This configuration must be empty if either ShutdownGracePeriod or ShutdownGracePeriodCriticalPods is set. + // Default: nil + // +featureGate=GracefulNodeShutdownBasedOnPodPriority + // +optional + ShutdownGracePeriodByPodPriority []ShutdownGracePeriodByPodPriority `json:"shutdownGracePeriodByPodPriority,omitempty"` + // reservedMemory specifies a comma-separated list of memory reservations for NUMA nodes. + // The parameter makes sense only in the context of the memory manager feature. + // The memory manager will not allocate reserved memory for container workloads. + // For example, if you have a NUMA0 with 10Gi of memory and the reservedMemory was + // specified to reserve 1Gi of memory at NUMA0, the memory manager will assume that + // only 9Gi is available for allocation. + // You can specify a different amount of NUMA node and memory types. + // You can omit this parameter at all, but you should be aware that the amount of + // reserved memory from all NUMA nodes should be equal to the amount of memory specified + // by the [node allocatable](https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/#node-allocatable). + // If at least one node allocatable parameter has a non-zero value, you will need + // to specify at least one NUMA node. + // Also, avoid specifying: + // + // 1. Duplicates, the same NUMA node, and memory type, but with a different value. + // 2. zero limits for any memory type. + // 3. NUMAs nodes IDs that do not exist under the machine. + // 4. memory types except for memory and hugepages- + // + // Default: nil + // +optional + ReservedMemory []MemoryReservation `json:"reservedMemory,omitempty"` + // enableProfilingHandler enables profiling via web interface host:port/debug/pprof/ + // Default: true + // +optional + EnableProfilingHandler *bool `json:"enableProfilingHandler,omitempty"` + // enableDebugFlagsHandler enables flags endpoint via web interface host:port/debug/flags/v + // Default: true + // +optional + EnableDebugFlagsHandler *bool `json:"enableDebugFlagsHandler,omitempty"` + // SeccompDefault enables the use of `RuntimeDefault` as the default seccomp profile for all workloads. + // This requires the corresponding SeccompDefault feature gate to be enabled as well. + // Default: false + // +optional + SeccompDefault *bool `json:"seccompDefault,omitempty"` + // MemoryThrottlingFactor specifies the factor multiplied by the memory limit or node allocatable memory + // when setting the cgroupv2 memory.high value to enforce MemoryQoS. + // Decreasing this factor will set lower high limit for container cgroups and put heavier reclaim pressure + // while increasing will put less reclaim pressure. + // See http://kep.k8s.io/2570 for more details. + // Default: 0.8 + // +featureGate=MemoryQoS + // +optional + MemoryThrottlingFactor *float64 `json:"memoryThrottlingFactor,omitempty"` + // registerWithTaints are an array of taints to add to a node object when + // the kubelet registers itself. This only takes effect when registerNode + // is true and upon the initial registration of the node. + // Default: nil + // +optional + RegisterWithTaints []v1.Taint `json:"registerWithTaints,omitempty"` + // registerNode enables automatic registration with the apiserver. + // Default: true + // +optional + RegisterNode *bool `json:"registerNode,omitempty"` +} + +type KubeletAuthorizationMode string + +const ( + // KubeletAuthorizationModeAlwaysAllow authorizes all authenticated requests + KubeletAuthorizationModeAlwaysAllow KubeletAuthorizationMode = "AlwaysAllow" + // KubeletAuthorizationModeWebhook uses the SubjectAccessReview API to determine authorization + KubeletAuthorizationModeWebhook KubeletAuthorizationMode = "Webhook" +) + +type KubeletAuthorization struct { + // mode is the authorization mode to apply to requests to the kubelet server. + // Valid values are `AlwaysAllow` and `Webhook`. + // Webhook mode uses the SubjectAccessReview API to determine authorization. + // +optional + Mode KubeletAuthorizationMode `json:"mode,omitempty"` + + // webhook contains settings related to Webhook authorization. + // +optional + Webhook KubeletWebhookAuthorization `json:"webhook"` +} + +type KubeletWebhookAuthorization struct { + // cacheAuthorizedTTL is the duration to cache 'authorized' responses from the + // webhook authorizer. + // +optional + CacheAuthorizedTTL metav1.Duration `json:"cacheAuthorizedTTL,omitempty"` + // cacheUnauthorizedTTL is the duration to cache 'unauthorized' responses from + // the webhook authorizer. + // +optional + CacheUnauthorizedTTL metav1.Duration `json:"cacheUnauthorizedTTL,omitempty"` +} + +type KubeletAuthentication struct { + // x509 contains settings related to x509 client certificate authentication. + // +optional + X509 KubeletX509Authentication `json:"x509"` + // webhook contains settings related to webhook bearer token authentication. + // +optional + Webhook KubeletWebhookAuthentication `json:"webhook"` + // anonymous contains settings related to anonymous authentication. + // +optional + Anonymous KubeletAnonymousAuthentication `json:"anonymous"` +} + +type KubeletX509Authentication struct { + // clientCAFile is the path to a PEM-encoded certificate bundle. If set, any request + // presenting a client certificate signed by one of the authorities in the bundle + // is authenticated with a username corresponding to the CommonName, + // and groups corresponding to the Organization in the client certificate. + // +optional + ClientCAFile string `json:"clientCAFile,omitempty"` +} + +type KubeletWebhookAuthentication struct { + // enabled allows bearer token authentication backed by the + // tokenreviews.authentication.k8s.io API. + // +optional + Enabled *bool `json:"enabled,omitempty"` + // cacheTTL enables caching of authentication results + // +optional + CacheTTL metav1.Duration `json:"cacheTTL,omitempty"` +} + +type KubeletAnonymousAuthentication struct { + // enabled allows anonymous requests to the kubelet server. + // Requests that are not rejected by another authentication method are treated as + // anonymous requests. + // Anonymous requests have a username of `system:anonymous`, and a group name of + // `system:unauthenticated`. + // +optional + Enabled *bool `json:"enabled,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// SerializedNodeConfigSource allows us to serialize v1.NodeConfigSource. +// This type is used internally by the Kubelet for tracking checkpointed dynamic configs. +// It exists in the kubeletconfig API group because it is classified as a versioned input to the Kubelet. +type SerializedNodeConfigSource struct { + metav1.TypeMeta `json:",inline"` + // source is the source that we are serializing. + // +optional + Source v1.NodeConfigSource `json:"source,omitempty" protobuf:"bytes,1,opt,name=source"` +} + +// MemoryReservation specifies the memory reservation of different types for each NUMA node +type MemoryReservation struct { + NumaNode int32 `json:"numaNode"` + Limits v1.ResourceList `json:"limits"` +} + +// ShutdownGracePeriodByPodPriority specifies the shutdown grace period for Pods based on their associated priority class value +type ShutdownGracePeriodByPodPriority struct { + // priority is the priority value associated with the shutdown grace period + Priority int32 `json:"priority"` + // shutdownGracePeriodSeconds is the shutdown grace period in seconds + ShutdownGracePeriodSeconds int64 `json:"shutdownGracePeriodSeconds"` +} + +type MemorySwapConfiguration struct { + // swapBehavior configures swap memory available to container workloads. May be one of + // "", "LimitedSwap": workload combined memory and swap usage cannot exceed pod memory limit + // "UnlimitedSwap": workloads can use unlimited swap, up to the allocatable limit. + // +featureGate=NodeSwap + // +optional + SwapBehavior string `json:"swapBehavior,omitempty"` +} + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderConfig is the configuration containing information about +// each exec credential provider. Kubelet reads this configuration from disk and enables +// each provider as specified by the CredentialProvider type. +type CredentialProviderConfig struct { + metav1.TypeMeta `json:",inline"` + + // providers is a list of credential provider plugins that will be enabled by the kubelet. + // Multiple providers may match against a single image, in which case credentials + // from all providers will be returned to the kubelet. If multiple providers are called + // for a single image, the results are combined. If providers return overlapping + // auth keys, the value from the provider earlier in this list is used. + Providers []CredentialProvider `json:"providers"` +} + +// CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only +// invoked when an image being pulled matches the images handled by the plugin (see matchImages). +type CredentialProvider struct { + // name is the required name of the credential provider. It must match the name of the + // provider executable as seen by the kubelet. The executable must be in the kubelet's + // bin directory (set by the --image-credential-provider-bin-dir flag). + Name string `json:"name"` + + // matchImages is a required list of strings used to match against images in order to + // determine if this provider should be invoked. If one of the strings matches the + // requested image from the kubelet, the plugin will be invoked and given a chance + // to provide credentials. Images are expected to contain the registry domain + // and URL path. + // + // Each entry in matchImages is a pattern which can optionally contain a port and a path. + // Globs can be used in the domain, but not in the port or the path. Globs are supported + // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. + // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match + // a single subdomain segment, so *.io does not match *.k8s.io. + // + // A match exists between an image and a matchImage when all of the below are true: + // - Both contain the same number of domain parts and each part matches. + // - The URL path of an imageMatch must be a prefix of the target image URL path. + // - If the imageMatch contains a port, then the port must match in the image as well. + // + // Example values of matchImages: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + MatchImages []string `json:"matchImages"` + + // defaultCacheDuration is the default duration the plugin will cache credentials in-memory + // if a cache duration is not provided in the plugin response. This field is required. + DefaultCacheDuration *metav1.Duration `json:"defaultCacheDuration"` + + // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse + // MUST use the same encoding version as the input. Current supported values are: + // - credentialprovider.kubelet.k8s.io/v1beta1 + APIVersion string `json:"apiVersion"` + + // Arguments to pass to the command when executing it. + // +optional + Args []string `json:"args,omitempty"` + + // Env defines additional environment variables to expose to the process. These + // are unioned with the host's environment, as well as variables client-go uses + // to pass argument to the plugin. + // +optional + Env []ExecEnvVar `json:"env,omitempty"` +} + +// ExecEnvVar is used for setting environment variables when executing an exec-based +// credential plugin. +type ExecEnvVar struct { + Name string `json:"name"` + Value string `json:"value"` +} diff --git a/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..ccb8fbbafbd --- /dev/null +++ b/staging/src/k8s.io/kubelet/config/v1/zz_generated.deepcopy.go @@ -0,0 +1,605 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1beta1 + +import ( + corev1 "k8s.io/api/core/v1" + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProvider) DeepCopyInto(out *CredentialProvider) { + *out = *in + if in.MatchImages != nil { + in, out := &in.MatchImages, &out.MatchImages + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.DefaultCacheDuration != nil { + in, out := &in.DefaultCacheDuration, &out.DefaultCacheDuration + *out = new(v1.Duration) + **out = **in + } + if in.Args != nil { + in, out := &in.Args, &out.Args + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Env != nil { + in, out := &in.Env, &out.Env + *out = make([]ExecEnvVar, len(*in)) + copy(*out, *in) + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProvider. +func (in *CredentialProvider) DeepCopy() *CredentialProvider { + if in == nil { + return nil + } + out := new(CredentialProvider) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderConfig) DeepCopyInto(out *CredentialProviderConfig) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.Providers != nil { + in, out := &in.Providers, &out.Providers + *out = make([]CredentialProvider, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderConfig. +func (in *CredentialProviderConfig) DeepCopy() *CredentialProviderConfig { + if in == nil { + return nil + } + out := new(CredentialProviderConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderConfig) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ExecEnvVar) DeepCopyInto(out *ExecEnvVar) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecEnvVar. +func (in *ExecEnvVar) DeepCopy() *ExecEnvVar { + if in == nil { + return nil + } + out := new(ExecEnvVar) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletAnonymousAuthentication) DeepCopyInto(out *KubeletAnonymousAuthentication) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAnonymousAuthentication. +func (in *KubeletAnonymousAuthentication) DeepCopy() *KubeletAnonymousAuthentication { + if in == nil { + return nil + } + out := new(KubeletAnonymousAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletAuthentication) DeepCopyInto(out *KubeletAuthentication) { + *out = *in + out.X509 = in.X509 + in.Webhook.DeepCopyInto(&out.Webhook) + in.Anonymous.DeepCopyInto(&out.Anonymous) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAuthentication. +func (in *KubeletAuthentication) DeepCopy() *KubeletAuthentication { + if in == nil { + return nil + } + out := new(KubeletAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletAuthorization) DeepCopyInto(out *KubeletAuthorization) { + *out = *in + out.Webhook = in.Webhook + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletAuthorization. +func (in *KubeletAuthorization) DeepCopy() *KubeletAuthorization { + if in == nil { + return nil + } + out := new(KubeletAuthorization) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.EnableServer != nil { + in, out := &in.EnableServer, &out.EnableServer + *out = new(bool) + **out = **in + } + out.SyncFrequency = in.SyncFrequency + out.FileCheckFrequency = in.FileCheckFrequency + out.HTTPCheckFrequency = in.HTTPCheckFrequency + if in.StaticPodURLHeader != nil { + in, out := &in.StaticPodURLHeader, &out.StaticPodURLHeader + *out = make(map[string][]string, len(*in)) + for key, val := range *in { + var outVal []string + if val == nil { + (*out)[key] = nil + } else { + in, out := &val, &outVal + *out = make([]string, len(*in)) + copy(*out, *in) + } + (*out)[key] = outVal + } + } + if in.TLSCipherSuites != nil { + in, out := &in.TLSCipherSuites, &out.TLSCipherSuites + *out = make([]string, len(*in)) + copy(*out, *in) + } + in.Authentication.DeepCopyInto(&out.Authentication) + out.Authorization = in.Authorization + if in.RegistryPullQPS != nil { + in, out := &in.RegistryPullQPS, &out.RegistryPullQPS + *out = new(int32) + **out = **in + } + if in.EventRecordQPS != nil { + in, out := &in.EventRecordQPS, &out.EventRecordQPS + *out = new(int32) + **out = **in + } + if in.EnableDebuggingHandlers != nil { + in, out := &in.EnableDebuggingHandlers, &out.EnableDebuggingHandlers + *out = new(bool) + **out = **in + } + if in.HealthzPort != nil { + in, out := &in.HealthzPort, &out.HealthzPort + *out = new(int32) + **out = **in + } + if in.OOMScoreAdj != nil { + in, out := &in.OOMScoreAdj, &out.OOMScoreAdj + *out = new(int32) + **out = **in + } + if in.ClusterDNS != nil { + in, out := &in.ClusterDNS, &out.ClusterDNS + *out = make([]string, len(*in)) + copy(*out, *in) + } + out.StreamingConnectionIdleTimeout = in.StreamingConnectionIdleTimeout + out.NodeStatusUpdateFrequency = in.NodeStatusUpdateFrequency + out.NodeStatusReportFrequency = in.NodeStatusReportFrequency + out.ImageMinimumGCAge = in.ImageMinimumGCAge + if in.ImageGCHighThresholdPercent != nil { + in, out := &in.ImageGCHighThresholdPercent, &out.ImageGCHighThresholdPercent + *out = new(int32) + **out = **in + } + if in.ImageGCLowThresholdPercent != nil { + in, out := &in.ImageGCLowThresholdPercent, &out.ImageGCLowThresholdPercent + *out = new(int32) + **out = **in + } + out.VolumeStatsAggPeriod = in.VolumeStatsAggPeriod + if in.CgroupsPerQOS != nil { + in, out := &in.CgroupsPerQOS, &out.CgroupsPerQOS + *out = new(bool) + **out = **in + } + if in.CPUManagerPolicyOptions != nil { + in, out := &in.CPUManagerPolicyOptions, &out.CPUManagerPolicyOptions + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.CPUManagerReconcilePeriod = in.CPUManagerReconcilePeriod + if in.QOSReserved != nil { + in, out := &in.QOSReserved, &out.QOSReserved + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.RuntimeRequestTimeout = in.RuntimeRequestTimeout + if in.PodPidsLimit != nil { + in, out := &in.PodPidsLimit, &out.PodPidsLimit + *out = new(int64) + **out = **in + } + if in.ResolverConfig != nil { + in, out := &in.ResolverConfig, &out.ResolverConfig + *out = new(string) + **out = **in + } + if in.CPUCFSQuota != nil { + in, out := &in.CPUCFSQuota, &out.CPUCFSQuota + *out = new(bool) + **out = **in + } + if in.CPUCFSQuotaPeriod != nil { + in, out := &in.CPUCFSQuotaPeriod, &out.CPUCFSQuotaPeriod + *out = new(v1.Duration) + **out = **in + } + if in.NodeStatusMaxImages != nil { + in, out := &in.NodeStatusMaxImages, &out.NodeStatusMaxImages + *out = new(int32) + **out = **in + } + if in.KubeAPIQPS != nil { + in, out := &in.KubeAPIQPS, &out.KubeAPIQPS + *out = new(int32) + **out = **in + } + if in.SerializeImagePulls != nil { + in, out := &in.SerializeImagePulls, &out.SerializeImagePulls + *out = new(bool) + **out = **in + } + if in.EvictionHard != nil { + in, out := &in.EvictionHard, &out.EvictionHard + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EvictionSoft != nil { + in, out := &in.EvictionSoft, &out.EvictionSoft + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EvictionSoftGracePeriod != nil { + in, out := &in.EvictionSoftGracePeriod, &out.EvictionSoftGracePeriod + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + out.EvictionPressureTransitionPeriod = in.EvictionPressureTransitionPeriod + if in.EvictionMinimumReclaim != nil { + in, out := &in.EvictionMinimumReclaim, &out.EvictionMinimumReclaim + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EnableControllerAttachDetach != nil { + in, out := &in.EnableControllerAttachDetach, &out.EnableControllerAttachDetach + *out = new(bool) + **out = **in + } + if in.MakeIPTablesUtilChains != nil { + in, out := &in.MakeIPTablesUtilChains, &out.MakeIPTablesUtilChains + *out = new(bool) + **out = **in + } + if in.IPTablesMasqueradeBit != nil { + in, out := &in.IPTablesMasqueradeBit, &out.IPTablesMasqueradeBit + *out = new(int32) + **out = **in + } + if in.IPTablesDropBit != nil { + in, out := &in.IPTablesDropBit, &out.IPTablesDropBit + *out = new(int32) + **out = **in + } + if in.FeatureGates != nil { + in, out := &in.FeatureGates, &out.FeatureGates + *out = make(map[string]bool, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.FailSwapOn != nil { + in, out := &in.FailSwapOn, &out.FailSwapOn + *out = new(bool) + **out = **in + } + out.MemorySwap = in.MemorySwap + if in.ContainerLogMaxFiles != nil { + in, out := &in.ContainerLogMaxFiles, &out.ContainerLogMaxFiles + *out = new(int32) + **out = **in + } + if in.SystemReserved != nil { + in, out := &in.SystemReserved, &out.SystemReserved + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.KubeReserved != nil { + in, out := &in.KubeReserved, &out.KubeReserved + *out = make(map[string]string, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + if in.EnforceNodeAllocatable != nil { + in, out := &in.EnforceNodeAllocatable, &out.EnforceNodeAllocatable + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.AllowedUnsafeSysctls != nil { + in, out := &in.AllowedUnsafeSysctls, &out.AllowedUnsafeSysctls + *out = make([]string, len(*in)) + copy(*out, *in) + } + in.Logging.DeepCopyInto(&out.Logging) + if in.EnableSystemLogHandler != nil { + in, out := &in.EnableSystemLogHandler, &out.EnableSystemLogHandler + *out = new(bool) + **out = **in + } + out.ShutdownGracePeriod = in.ShutdownGracePeriod + out.ShutdownGracePeriodCriticalPods = in.ShutdownGracePeriodCriticalPods + if in.ShutdownGracePeriodByPodPriority != nil { + in, out := &in.ShutdownGracePeriodByPodPriority, &out.ShutdownGracePeriodByPodPriority + *out = make([]ShutdownGracePeriodByPodPriority, len(*in)) + copy(*out, *in) + } + if in.ReservedMemory != nil { + in, out := &in.ReservedMemory, &out.ReservedMemory + *out = make([]MemoryReservation, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.EnableProfilingHandler != nil { + in, out := &in.EnableProfilingHandler, &out.EnableProfilingHandler + *out = new(bool) + **out = **in + } + if in.EnableDebugFlagsHandler != nil { + in, out := &in.EnableDebugFlagsHandler, &out.EnableDebugFlagsHandler + *out = new(bool) + **out = **in + } + if in.SeccompDefault != nil { + in, out := &in.SeccompDefault, &out.SeccompDefault + *out = new(bool) + **out = **in + } + if in.MemoryThrottlingFactor != nil { + in, out := &in.MemoryThrottlingFactor, &out.MemoryThrottlingFactor + *out = new(float64) + **out = **in + } + if in.RegisterWithTaints != nil { + in, out := &in.RegisterWithTaints, &out.RegisterWithTaints + *out = make([]corev1.Taint, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } + if in.RegisterNode != nil { + in, out := &in.RegisterNode, &out.RegisterNode + *out = new(bool) + **out = **in + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletConfiguration. +func (in *KubeletConfiguration) DeepCopy() *KubeletConfiguration { + if in == nil { + return nil + } + out := new(KubeletConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *KubeletConfiguration) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletWebhookAuthentication) DeepCopyInto(out *KubeletWebhookAuthentication) { + *out = *in + if in.Enabled != nil { + in, out := &in.Enabled, &out.Enabled + *out = new(bool) + **out = **in + } + out.CacheTTL = in.CacheTTL + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletWebhookAuthentication. +func (in *KubeletWebhookAuthentication) DeepCopy() *KubeletWebhookAuthentication { + if in == nil { + return nil + } + out := new(KubeletWebhookAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletWebhookAuthorization) DeepCopyInto(out *KubeletWebhookAuthorization) { + *out = *in + out.CacheAuthorizedTTL = in.CacheAuthorizedTTL + out.CacheUnauthorizedTTL = in.CacheUnauthorizedTTL + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletWebhookAuthorization. +func (in *KubeletWebhookAuthorization) DeepCopy() *KubeletWebhookAuthorization { + if in == nil { + return nil + } + out := new(KubeletWebhookAuthorization) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *KubeletX509Authentication) DeepCopyInto(out *KubeletX509Authentication) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubeletX509Authentication. +func (in *KubeletX509Authentication) DeepCopy() *KubeletX509Authentication { + if in == nil { + return nil + } + out := new(KubeletX509Authentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MemoryReservation) DeepCopyInto(out *MemoryReservation) { + *out = *in + if in.Limits != nil { + in, out := &in.Limits, &out.Limits + *out = make(corev1.ResourceList, len(*in)) + for key, val := range *in { + (*out)[key] = val.DeepCopy() + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryReservation. +func (in *MemoryReservation) DeepCopy() *MemoryReservation { + if in == nil { + return nil + } + out := new(MemoryReservation) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *MemorySwapConfiguration) DeepCopyInto(out *MemorySwapConfiguration) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemorySwapConfiguration. +func (in *MemorySwapConfiguration) DeepCopy() *MemorySwapConfiguration { + if in == nil { + return nil + } + out := new(MemorySwapConfiguration) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *SerializedNodeConfigSource) DeepCopyInto(out *SerializedNodeConfigSource) { + *out = *in + out.TypeMeta = in.TypeMeta + in.Source.DeepCopyInto(&out.Source) + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SerializedNodeConfigSource. +func (in *SerializedNodeConfigSource) DeepCopy() *SerializedNodeConfigSource { + if in == nil { + return nil + } + out := new(SerializedNodeConfigSource) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *SerializedNodeConfigSource) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ShutdownGracePeriodByPodPriority) DeepCopyInto(out *ShutdownGracePeriodByPodPriority) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShutdownGracePeriodByPodPriority. +func (in *ShutdownGracePeriodByPodPriority) DeepCopy() *ShutdownGracePeriodByPodPriority { + if in == nil { + return nil + } + out := new(ShutdownGracePeriodByPodPriority) + in.DeepCopyInto(out) + return out +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go new file mode 100644 index 00000000000..df4f4bf150d --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/doc.go @@ -0,0 +1,22 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// +k8s:deepcopy-gen=package +// +k8s:conversion-gen=k8s.io/kubelet/pkg/apis/credentialprovider +// +k8s:defaulter-gen=TypeMeta +// +groupName=credentialprovider.kubelet.k8s.io + +package v1beta1 // import "k8s.io/kubelet/pkg/apis/credentialprovider/v1beta1" diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go new file mode 100644 index 00000000000..75ec067cb03 --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/register.go @@ -0,0 +1,46 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + "k8s.io/apimachinery/pkg/runtime/schema" +) + +// GroupName is the group name use in this package +const GroupName = "credentialprovider.kubelet.k8s.io" + +// SchemeGroupVersion is group version used to register these objects +var ( + SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1beta1"} + localSchemeBuilder = &SchemeBuilder +) + +var ( + SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) + AddToScheme = SchemeBuilder.AddToScheme +) + +func addKnownTypes(scheme *runtime.Scheme) error { + scheme.AddKnownTypes(SchemeGroupVersion, + &CredentialProviderRequest{}, + &CredentialProviderResponse{}, + ) + metav1.AddToGroupVersion(scheme, SchemeGroupVersion) + return nil +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go new file mode 100644 index 00000000000..2bc37ce9294 --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/types.go @@ -0,0 +1,117 @@ +/* +Copyright 2022 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1beta1 + +import ( + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderRequest includes the image that the kubelet requires authentication for. +// Kubelet will pass this request object to the plugin via stdin. In general, plugins should +// prefer responding with the same apiVersion they were sent. +type CredentialProviderRequest struct { + metav1.TypeMeta `json:",inline"` + + // image is the container image that is being pulled as part of the + // credential provider plugin request. Plugins may optionally parse the image + // to extract any information required to fetch credentials. + Image string `json:"image"` +} + +type PluginCacheKeyType string + +const ( + // ImagePluginCacheKeyType means the kubelet will cache credentials on a per-image basis, + // using the image passed from the kubelet directly as the cache key. This includes + // the registry domain, port (if specified), and path but does not include tags or SHAs. + ImagePluginCacheKeyType PluginCacheKeyType = "Image" + // RegistryPluginCacheKeyType means the kubelet will cache credentials on a per-registry basis. + // The cache key will be based on the registry domain and port (if present) parsed from the requested image. + RegistryPluginCacheKeyType PluginCacheKeyType = "Registry" + // GlobalPluginCacheKeyType means the kubelet will cache credentials for all images that + // match for a given plugin. This cache key should only be returned by plugins that do not use + // the image input at all. + GlobalPluginCacheKeyType PluginCacheKeyType = "Global" +) + +// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object + +// CredentialProviderResponse holds credentials that the kubelet should use for the specified +// image provided in the original request. Kubelet will read the response from the plugin via stdout. +// This response should be set to the same apiVersion as CredentialProviderRequest. +type CredentialProviderResponse struct { + metav1.TypeMeta `json:",inline"` + + // cacheKeyType indiciates the type of caching key to use based on the image provided + // in the request. There are three valid values for the cache key type: Image, Registry, and + // Global. If an invalid value is specified, the response will NOT be used by the kubelet. + CacheKeyType PluginCacheKeyType `json:"cacheKeyType"` + + // cacheDuration indicates the duration the provided credentials should be cached for. + // The kubelet will use this field to set the in-memory cache duration for credentials + // in the AuthConfig. If null, the kubelet will use defaultCacheDuration provided in + // CredentialProviderConfig. If set to 0, the kubelet will not cache the provided AuthConfig. + // +optional + CacheDuration *metav1.Duration `json:"cacheDuration,omitempty"` + + // auth is a map containing authentication information passed into the kubelet. + // Each key is a match image string (more on this below). The corresponding authConfig value + // should be valid for all images that match against this key. A plugin should set + // this field to null if no valid credentials can be returned for the requested image. + // + // Each key in the map is a pattern which can optionally contain a port and a path. + // Globs can be used in the domain, but not in the port or the path. Globs are supported + // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. + // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match + // a single subdomain segment, so *.io does not match *.k8s.io. + // + // The kubelet will match images against the key when all of the below are true: + // - Both contain the same number of domain parts and each part matches. + // - The URL path of an imageMatch must be a prefix of the target image URL path. + // - If the imageMatch contains a port, then the port must match in the image as well. + // + // When multiple keys are returned, the kubelet will traverse all keys in reverse order so that: + // - longer keys come before shorter keys with the same prefix + // - non-wildcard keys come before wildcard keys with the same prefix. + // + // For any given match, the kubelet will attempt an image pull with the provided credentials, + // stopping after the first successfully authenticated pull. + // + // Example keys: + // - 123456789.dkr.ecr.us-east-1.amazonaws.com + // - *.azurecr.io + // - gcr.io + // - *.*.registry.io + // - registry.io:8080/path + // +optional + Auth map[string]AuthConfig `json:"auth,omitempty"` +} + +// AuthConfig contains authentication information for a container registry. +// Only username/password based authentication is supported today, but more authentication +// mechanisms may be added in the future. +type AuthConfig struct { + // username is the username used for authenticating to the container registry + // An empty username is valid. + Username string `json:"username"` + + // password is the password used for authenticating to the container registry + // An empty password is valid. + Password string `json:"password"` +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go new file mode 100644 index 00000000000..1991aab6dde --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.conversion.go @@ -0,0 +1,137 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by conversion-gen. DO NOT EDIT. + +package v1beta1 + +import ( + unsafe "unsafe" + + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + conversion "k8s.io/apimachinery/pkg/conversion" + runtime "k8s.io/apimachinery/pkg/runtime" + credentialprovider "k8s.io/kubelet/pkg/apis/credentialprovider" +) + +func init() { + localSchemeBuilder.Register(RegisterConversions) +} + +// RegisterConversions adds conversion functions to the given scheme. +// Public to allow building arbitrary schemes. +func RegisterConversions(s *runtime.Scheme) error { + if err := s.AddGeneratedConversionFunc((*AuthConfig)(nil), (*credentialprovider.AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(a.(*AuthConfig), b.(*credentialprovider.AuthConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*credentialprovider.AuthConfig)(nil), (*AuthConfig)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(a.(*credentialprovider.AuthConfig), b.(*AuthConfig), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*CredentialProviderRequest)(nil), (*credentialprovider.CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(a.(*CredentialProviderRequest), b.(*credentialprovider.CredentialProviderRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderRequest)(nil), (*CredentialProviderRequest)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(a.(*credentialprovider.CredentialProviderRequest), b.(*CredentialProviderRequest), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*CredentialProviderResponse)(nil), (*credentialprovider.CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(a.(*CredentialProviderResponse), b.(*credentialprovider.CredentialProviderResponse), scope) + }); err != nil { + return err + } + if err := s.AddGeneratedConversionFunc((*credentialprovider.CredentialProviderResponse)(nil), (*CredentialProviderResponse)(nil), func(a, b interface{}, scope conversion.Scope) error { + return Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(a.(*credentialprovider.CredentialProviderResponse), b.(*CredentialProviderResponse), scope) + }); err != nil { + return err + } + return nil +} + +func autoConvert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { + out.Username = in.Username + out.Password = in.Password + return nil +} + +// Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig is an autogenerated conversion function. +func Convert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in *AuthConfig, out *credentialprovider.AuthConfig, s conversion.Scope) error { + return autoConvert_v1beta1_AuthConfig_To_credentialprovider_AuthConfig(in, out, s) +} + +func autoConvert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { + out.Username = in.Username + out.Password = in.Password + return nil +} + +// Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig is an autogenerated conversion function. +func Convert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in *credentialprovider.AuthConfig, out *AuthConfig, s conversion.Scope) error { + return autoConvert_credentialprovider_AuthConfig_To_v1beta1_AuthConfig(in, out, s) +} + +func autoConvert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { + out.Image = in.Image + return nil +} + +// Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest is an autogenerated conversion function. +func Convert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in *CredentialProviderRequest, out *credentialprovider.CredentialProviderRequest, s conversion.Scope) error { + return autoConvert_v1beta1_CredentialProviderRequest_To_credentialprovider_CredentialProviderRequest(in, out, s) +} + +func autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { + out.Image = in.Image + return nil +} + +// Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest is an autogenerated conversion function. +func Convert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in *credentialprovider.CredentialProviderRequest, out *CredentialProviderRequest, s conversion.Scope) error { + return autoConvert_credentialprovider_CredentialProviderRequest_To_v1beta1_CredentialProviderRequest(in, out, s) +} + +func autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { + out.CacheKeyType = credentialprovider.PluginCacheKeyType(in.CacheKeyType) + out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration)) + out.Auth = *(*map[string]credentialprovider.AuthConfig)(unsafe.Pointer(&in.Auth)) + return nil +} + +// Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse is an autogenerated conversion function. +func Convert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in *CredentialProviderResponse, out *credentialprovider.CredentialProviderResponse, s conversion.Scope) error { + return autoConvert_v1beta1_CredentialProviderResponse_To_credentialprovider_CredentialProviderResponse(in, out, s) +} + +func autoConvert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { + out.CacheKeyType = PluginCacheKeyType(in.CacheKeyType) + out.CacheDuration = (*v1.Duration)(unsafe.Pointer(in.CacheDuration)) + out.Auth = *(*map[string]AuthConfig)(unsafe.Pointer(&in.Auth)) + return nil +} + +// Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse is an autogenerated conversion function. +func Convert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in *credentialprovider.CredentialProviderResponse, out *CredentialProviderResponse, s conversion.Scope) error { + return autoConvert_credentialprovider_CredentialProviderResponse_To_v1beta1_CredentialProviderResponse(in, out, s) +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go new file mode 100644 index 00000000000..ca2143c77fc --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.deepcopy.go @@ -0,0 +1,105 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by deepcopy-gen. DO NOT EDIT. + +package v1beta1 + +import ( + v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *AuthConfig) DeepCopyInto(out *AuthConfig) { + *out = *in + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthConfig. +func (in *AuthConfig) DeepCopy() *AuthConfig { + if in == nil { + return nil + } + out := new(AuthConfig) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderRequest) DeepCopyInto(out *CredentialProviderRequest) { + *out = *in + out.TypeMeta = in.TypeMeta + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderRequest. +func (in *CredentialProviderRequest) DeepCopy() *CredentialProviderRequest { + if in == nil { + return nil + } + out := new(CredentialProviderRequest) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderRequest) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} + +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *CredentialProviderResponse) DeepCopyInto(out *CredentialProviderResponse) { + *out = *in + out.TypeMeta = in.TypeMeta + if in.CacheDuration != nil { + in, out := &in.CacheDuration, &out.CacheDuration + *out = new(v1.Duration) + **out = **in + } + if in.Auth != nil { + in, out := &in.Auth, &out.Auth + *out = make(map[string]AuthConfig, len(*in)) + for key, val := range *in { + (*out)[key] = val + } + } + return +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialProviderResponse. +func (in *CredentialProviderResponse) DeepCopy() *CredentialProviderResponse { + if in == nil { + return nil + } + out := new(CredentialProviderResponse) + in.DeepCopyInto(out) + return out +} + +// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. +func (in *CredentialProviderResponse) DeepCopyObject() runtime.Object { + if c := in.DeepCopy(); c != nil { + return c + } + return nil +} diff --git a/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go new file mode 100644 index 00000000000..198b5be4af5 --- /dev/null +++ b/staging/src/k8s.io/kubelet/pkg/apis/credentialprovider/v1/zz_generated.defaults.go @@ -0,0 +1,33 @@ +//go:build !ignore_autogenerated +// +build !ignore_autogenerated + +/* +Copyright The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by defaulter-gen. DO NOT EDIT. + +package v1beta1 + +import ( + runtime "k8s.io/apimachinery/pkg/runtime" +) + +// RegisterDefaults adds defaulters functions to the given scheme. +// Public to allow building arbitrary schemes. +// All generated defaulters are covering - they call all nested defaulters. +func RegisterDefaults(scheme *runtime.Scheme) error { + return nil +}