rancher/norman
1
0
Fork 0
mirror of https://github.com/rancher/norman.git synced 2025-09-24 20:48:18 +00:00
Code Issues Releases Wiki Activity

k8s vendor to 1.10.5

Browse Source
This commit is contained in:
Alena Prokharchyk
2018-07-11 16:42:39 -07:00
parent 26d279bce1
commit 57e8282a33
1261 changed files with 72487 additions and 71790 deletions
Download Patch File Download Diff File Expand all files Collapse all files

195
vendor/k8s.io/api/policy/v1beta1/generated.proto generated vendored
View File

@@ -1,5 +1,5 @@
/*
Copyright 2017 The Kubernetes Authors.
Copyright 2018 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
@@ -30,6 +30,25 @@ import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
// Package-wide variables from generator "generated".
option go_package = "v1beta1";
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
message AllowedFlexVolume {
// Driver is the name of the Flexvolume driver.
optional string driver = 1;
}
// defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
message AllowedHostPath {
// is the path prefix that the host volume must match.
// It does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
optional string pathPrefix = 1;
}
// Eviction evicts a pod from its node subject to certain policies and safety constraints.
// This is a subresource of Pod. A request to cause such an eviction is
// created by POSTing to .../pods/<pod name>/evictions.
@@ -41,6 +60,37 @@ message Eviction {
optional k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions deleteOptions = 2;
}
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
message FSGroupStrategyOptions {
// Rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
// +optional
optional string rule = 1;
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end.
// +optional
repeated IDRange ranges = 2;
}
// Host Port Range defines a range of host ports that will be enabled by a policy
// for pods to use. It requires both the start and end to be defined.
message HostPortRange {
// min is the start of the range, inclusive.
optional int32 min = 1;
// max is the end of the range, inclusive.
optional int32 max = 2;
}
// ID Range provides a min/max of an allowed range of IDs.
message IDRange {
// Min is the start of the range, inclusive.
optional int64 min = 1;
// Max is the end of the range, inclusive.
optional int64 max = 2;
}
// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
message PodDisruptionBudget {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
@@ -112,3 +162,146 @@ message PodDisruptionBudgetStatus {
optional int32 expectedPods = 6;
}
// Pod Security Policy governs the ability to make requests that affect the Security Context
// that will be applied to a pod and container.
message PodSecurityPolicy {
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
// spec defines the policy enforced.
// +optional
optional PodSecurityPolicySpec spec = 2;
}
// Pod Security Policy List is a list of PodSecurityPolicy objects.
message PodSecurityPolicyList {
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
// +optional
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
// Items is a list of schema objects.
repeated PodSecurityPolicy items = 2;
}
// Pod Security Policy Spec defines the policy enforced.
message PodSecurityPolicySpec {
// privileged determines if a pod can request to be run as privileged.
// +optional
optional bool privileged = 1;
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capability in both
// DefaultAddCapabilities and RequiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the AllowedCapabilities list.
// +optional
repeated string defaultAddCapabilities = 2;
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +optional
repeated string requiredDropCapabilities = 3;
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field may be added at the pod author's discretion.
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
// +optional
repeated string allowedCapabilities = 4;
// volumes is a white list of allowed volume plugins. Empty indicates that all plugins
// may be used.
// +optional
repeated string volumes = 5;
// hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
// +optional
optional bool hostNetwork = 6;
// hostPorts determines which host port ranges are allowed to be exposed.
// +optional
repeated HostPortRange hostPorts = 7;
// hostPID determines if the policy allows the use of HostPID in the pod spec.
// +optional
optional bool hostPID = 8;
// hostIPC determines if the policy allows the use of HostIPC in the pod spec.
// +optional
optional bool hostIPC = 9;
// seLinux is the strategy that will dictate the allowable labels that may be set.
optional SELinuxStrategyOptions seLinux = 10;
// runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
optional RunAsUserStrategyOptions runAsUser = 11;
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
optional SupplementalGroupsStrategyOptions supplementalGroups = 12;
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
optional FSGroupStrategyOptions fsGroup = 13;
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the PSP should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
// +optional
optional bool readOnlyRootFilesystem = 14;
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
optional bool defaultAllowPrivilegeEscalation = 15;
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
optional bool allowPrivilegeEscalation = 16;
// is a white list of allowed host paths. Empty indicates that all host paths may be used.
// +optional
repeated AllowedHostPath allowedHostPaths = 17;
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "Volumes" field.
// +optional
repeated AllowedFlexVolume allowedFlexVolumes = 18;
}
// Run A sUser Strategy Options defines the strategy type and any options used to create the strategy.
message RunAsUserStrategyOptions {
// Rule is the strategy that will dictate the allowable RunAsUser values that may be set.
optional string rule = 1;
// Ranges are the allowed ranges of uids that may be used.
// +optional
repeated IDRange ranges = 2;
}
// SELinux Strategy Options defines the strategy type and any options used to create the strategy.
message SELinuxStrategyOptions {
// type is the strategy that will dictate the allowable labels that may be set.
optional string rule = 1;
// seLinuxOptions required to run as; required for MustRunAs
// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
// +optional
optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
}
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
message SupplementalGroupsStrategyOptions {
// Rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
// +optional
optional string rule = 1;
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end.
// +optional
repeated IDRange ranges = 2;
}