1/* 2Copyright The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17 18// This file was autogenerated by go-to-protobuf. Do not edit it manually! 19 20syntax = 'proto2'; 21 22package k8s.io.api.admissionregistration.v1beta1; 23 24import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; 25import "k8s.io/apimachinery/pkg/runtime/generated.proto"; 26import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; 27 28// Package-wide variables from generator "generated". 29option go_package = "v1beta1"; 30 31// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object. 32message MutatingWebhookConfiguration { 33 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata. 34 // +optional 35 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; 36 37 // Webhooks is a list of webhooks and the affected resources and operations. 38 // +optional 39 // +patchMergeKey=name 40 // +patchStrategy=merge 41 repeated Webhook Webhooks = 2; 42} 43 44// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration. 45message MutatingWebhookConfigurationList { 46 // Standard list metadata. 47 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds 48 // +optional 49 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; 50 51 // List of MutatingWebhookConfiguration. 52 repeated MutatingWebhookConfiguration items = 2; 53} 54 55// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended 56// to make sure that all the tuple expansions are valid. 57message Rule { 58 // APIGroups is the API groups the resources belong to. '*' is all groups. 59 // If '*' is present, the length of the slice must be one. 60 // Required. 61 repeated string apiGroups = 1; 62 63 // APIVersions is the API versions the resources belong to. '*' is all versions. 64 // If '*' is present, the length of the slice must be one. 65 // Required. 66 repeated string apiVersions = 2; 67 68 // Resources is a list of resources this rule applies to. 69 // 70 // For example: 71 // 'pods' means pods. 72 // 'pods/log' means the log subresource of pods. 73 // '*' means all resources, but not subresources. 74 // 'pods/*' means all subresources of pods. 75 // '*/scale' means all scale subresources. 76 // '*/*' means all resources and their subresources. 77 // 78 // If wildcard is present, the validation rule will ensure resources do not 79 // overlap with each other. 80 // 81 // Depending on the enclosing object, subresources might not be allowed. 82 // Required. 83 repeated string resources = 3; 84 85 // scope specifies the scope of this rule. 86 // Valid values are "Cluster", "Namespaced", and "*" 87 // "Cluster" means that only cluster-scoped resources will match this rule. 88 // Namespace API objects are cluster-scoped. 89 // "Namespaced" means that only namespaced resources will match this rule. 90 // "*" means that there are no scope restrictions. 91 // Subresources match the scope of their parent resource. 92 // Default is "*". 93 // 94 // +optional 95 optional string scope = 4; 96} 97 98// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make 99// sure that all the tuple expansions are valid. 100message RuleWithOperations { 101 // Operations is the operations the admission hook cares about - CREATE, UPDATE, or * 102 // for all operations. 103 // If '*' is present, the length of the slice must be one. 104 // Required. 105 repeated string operations = 1; 106 107 // Rule is embedded, it describes other criteria of the rule, like 108 // APIGroups, APIVersions, Resources, etc. 109 optional Rule rule = 2; 110} 111 112// ServiceReference holds a reference to Service.legacy.k8s.io 113message ServiceReference { 114 // `namespace` is the namespace of the service. 115 // Required 116 optional string namespace = 1; 117 118 // `name` is the name of the service. 119 // Required 120 optional string name = 2; 121 122 // `path` is an optional URL path which will be sent in any request to 123 // this service. 124 // +optional 125 optional string path = 3; 126} 127 128// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it. 129message ValidatingWebhookConfiguration { 130 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata. 131 // +optional 132 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; 133 134 // Webhooks is a list of webhooks and the affected resources and operations. 135 // +optional 136 // +patchMergeKey=name 137 // +patchStrategy=merge 138 repeated Webhook Webhooks = 2; 139} 140 141// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration. 142message ValidatingWebhookConfigurationList { 143 // Standard list metadata. 144 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds 145 // +optional 146 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; 147 148 // List of ValidatingWebhookConfiguration. 149 repeated ValidatingWebhookConfiguration items = 2; 150} 151 152// Webhook describes an admission webhook and the resources and operations it applies to. 153message Webhook { 154 // The name of the admission webhook. 155 // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where 156 // "imagepolicy" is the name of the webhook, and kubernetes.io is the name 157 // of the organization. 158 // Required. 159 optional string name = 1; 160 161 // ClientConfig defines how to communicate with the hook. 162 // Required 163 optional WebhookClientConfig clientConfig = 2; 164 165 // Rules describes what operations on what resources/subresources the webhook cares about. 166 // The webhook cares about an operation if it matches _any_ Rule. 167 // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks 168 // from putting the cluster in a state which cannot be recovered from without completely 169 // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called 170 // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects. 171 repeated RuleWithOperations rules = 3; 172 173 // FailurePolicy defines how unrecognized errors from the admission endpoint are handled - 174 // allowed values are Ignore or Fail. Defaults to Ignore. 175 // +optional 176 optional string failurePolicy = 4; 177 178 // NamespaceSelector decides whether to run the webhook on an object based 179 // on whether the namespace for that object matches the selector. If the 180 // object itself is a namespace, the matching is performed on 181 // object.metadata.labels. If the object is another cluster scoped resource, 182 // it never skips the webhook. 183 // 184 // For example, to run the webhook on any objects whose namespace is not 185 // associated with "runlevel" of "0" or "1"; you will set the selector as 186 // follows: 187 // "namespaceSelector": { 188 // "matchExpressions": [ 189 // { 190 // "key": "runlevel", 191 // "operator": "NotIn", 192 // "values": [ 193 // "0", 194 // "1" 195 // ] 196 // } 197 // ] 198 // } 199 // 200 // If instead you want to only run the webhook on any objects whose 201 // namespace is associated with the "environment" of "prod" or "staging"; 202 // you will set the selector as follows: 203 // "namespaceSelector": { 204 // "matchExpressions": [ 205 // { 206 // "key": "environment", 207 // "operator": "In", 208 // "values": [ 209 // "prod", 210 // "staging" 211 // ] 212 // } 213 // ] 214 // } 215 // 216 // See 217 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ 218 // for more examples of label selectors. 219 // 220 // Default to the empty LabelSelector, which matches everything. 221 // +optional 222 optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5; 223 224 // SideEffects states whether this webhookk has side effects. 225 // Acceptable values are: Unknown, None, Some, NoneOnDryRun 226 // Webhooks with side effects MUST implement a reconciliation system, since a request may be 227 // rejected by a future step in the admission change and the side effects therefore need to be undone. 228 // Requests with the dryRun attribute will be auto-rejected if they match a webhook with 229 // sideEffects == Unknown or Some. Defaults to Unknown. 230 // +optional 231 optional string sideEffects = 6; 232 233 // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes, 234 // the webhook call will be ignored or the API call will fail based on the 235 // failure policy. 236 // The timeout value must be between 1 and 30 seconds. 237 // Default to 30 seconds. 238 // +optional 239 optional int32 timeoutSeconds = 7; 240 241 // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview` 242 // versions the Webhook expects. API server will try to use first version in 243 // the list which it supports. If none of the versions specified in this list 244 // supported by API server, validation will fail for this object. 245 // If a persisted webhook configuration specifies allowed versions and does not 246 // include any versions known to the API Server, calls to the webhook will fail 247 // and be subject to the failure policy. 248 // Default to `['v1beta1']`. 249 // +optional 250 repeated string admissionReviewVersions = 8; 251} 252 253// WebhookClientConfig contains the information to make a TLS 254// connection with the webhook 255message WebhookClientConfig { 256 // `url` gives the location of the webhook, in standard URL form 257 // (`scheme://host:port/path`). Exactly one of `url` or `service` 258 // must be specified. 259 // 260 // The `host` should not refer to a service running in the cluster; use 261 // the `service` field instead. The host might be resolved via external 262 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve 263 // in-cluster DNS as that would be a layering violation). `host` may 264 // also be an IP address. 265 // 266 // Please note that using `localhost` or `127.0.0.1` as a `host` is 267 // risky unless you take great care to run this webhook on all hosts 268 // which run an apiserver which might need to make calls to this 269 // webhook. Such installs are likely to be non-portable, i.e., not easy 270 // to turn up in a new cluster. 271 // 272 // The scheme must be "https"; the URL must begin with "https://". 273 // 274 // A path is optional, and if present may be any string permissible in 275 // a URL. You may use the path to pass an arbitrary string to the 276 // webhook, for example, a cluster identifier. 277 // 278 // Attempting to use a user or basic auth e.g. "user:password@" is not 279 // allowed. Fragments ("#...") and query parameters ("?...") are not 280 // allowed, either. 281 // 282 // +optional 283 optional string url = 3; 284 285 // `service` is a reference to the service for this webhook. Either 286 // `service` or `url` must be specified. 287 // 288 // If the webhook is running within the cluster, then you should use `service`. 289 // 290 // Port 443 will be used if it is open, otherwise it is an error. 291 // 292 // +optional 293 optional ServiceReference service = 1; 294 295 // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate. 296 // If unspecified, system trust roots on the apiserver are used. 297 // +optional 298 optional bytes caBundle = 2; 299} 300 301