1/* 2Copyright 2018 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17// To regenerate api.pb.go run hack/update-generated-runtime.sh 18syntax = "proto3"; 19 20package runtime.v1alpha2; 21option go_package = "v1alpha2"; 22 23import "github.com/gogo/protobuf/gogoproto/gogo.proto"; 24 25option (gogoproto.goproto_stringer_all) = false; 26option (gogoproto.stringer_all) = true; 27option (gogoproto.goproto_getters_all) = true; 28option (gogoproto.marshaler_all) = true; 29option (gogoproto.sizer_all) = true; 30option (gogoproto.unmarshaler_all) = true; 31option (gogoproto.goproto_unrecognized_all) = false; 32 33// Runtime service defines the public APIs for remote container runtimes 34service RuntimeService { 35 // Version returns the runtime name, runtime version, and runtime API version. 36 rpc Version(VersionRequest) returns (VersionResponse) {} 37 38 // RunPodSandbox creates and starts a pod-level sandbox. Runtimes must ensure 39 // the sandbox is in the ready state on success. 40 rpc RunPodSandbox(RunPodSandboxRequest) returns (RunPodSandboxResponse) {} 41 // StopPodSandbox stops any running process that is part of the sandbox and 42 // reclaims network resources (e.g., IP addresses) allocated to the sandbox. 43 // If there are any running containers in the sandbox, they must be forcibly 44 // terminated. 45 // This call is idempotent, and must not return an error if all relevant 46 // resources have already been reclaimed. kubelet will call StopPodSandbox 47 // at least once before calling RemovePodSandbox. It will also attempt to 48 // reclaim resources eagerly, as soon as a sandbox is not needed. Hence, 49 // multiple StopPodSandbox calls are expected. 50 rpc StopPodSandbox(StopPodSandboxRequest) returns (StopPodSandboxResponse) {} 51 // RemovePodSandbox removes the sandbox. If there are any running containers 52 // in the sandbox, they must be forcibly terminated and removed. 53 // This call is idempotent, and must not return an error if the sandbox has 54 // already been removed. 55 rpc RemovePodSandbox(RemovePodSandboxRequest) returns (RemovePodSandboxResponse) {} 56 // PodSandboxStatus returns the status of the PodSandbox. If the PodSandbox is not 57 // present, returns an error. 58 rpc PodSandboxStatus(PodSandboxStatusRequest) returns (PodSandboxStatusResponse) {} 59 // ListPodSandbox returns a list of PodSandboxes. 60 rpc ListPodSandbox(ListPodSandboxRequest) returns (ListPodSandboxResponse) {} 61 62 // CreateContainer creates a new container in specified PodSandbox 63 rpc CreateContainer(CreateContainerRequest) returns (CreateContainerResponse) {} 64 // StartContainer starts the container. 65 rpc StartContainer(StartContainerRequest) returns (StartContainerResponse) {} 66 // StopContainer stops a running container with a grace period (i.e., timeout). 67 // This call is idempotent, and must not return an error if the container has 68 // already been stopped. 69 // TODO: what must the runtime do after the grace period is reached? 70 rpc StopContainer(StopContainerRequest) returns (StopContainerResponse) {} 71 // RemoveContainer removes the container. If the container is running, the 72 // container must be forcibly removed. 73 // This call is idempotent, and must not return an error if the container has 74 // already been removed. 75 rpc RemoveContainer(RemoveContainerRequest) returns (RemoveContainerResponse) {} 76 // ListContainers lists all containers by filters. 77 rpc ListContainers(ListContainersRequest) returns (ListContainersResponse) {} 78 // ContainerStatus returns status of the container. If the container is not 79 // present, returns an error. 80 rpc ContainerStatus(ContainerStatusRequest) returns (ContainerStatusResponse) {} 81 // UpdateContainerResources updates ContainerConfig of the container. 82 rpc UpdateContainerResources(UpdateContainerResourcesRequest) returns (UpdateContainerResourcesResponse) {} 83 // ReopenContainerLog asks runtime to reopen the stdout/stderr log file 84 // for the container. This is often called after the log file has been 85 // rotated. If the container is not running, container runtime can choose 86 // to either create a new log file and return nil, or return an error. 87 // Once it returns error, new container log file MUST NOT be created. 88 rpc ReopenContainerLog(ReopenContainerLogRequest) returns (ReopenContainerLogResponse) {} 89 90 // ExecSync runs a command in a container synchronously. 91 rpc ExecSync(ExecSyncRequest) returns (ExecSyncResponse) {} 92 // Exec prepares a streaming endpoint to execute a command in the container. 93 rpc Exec(ExecRequest) returns (ExecResponse) {} 94 // Attach prepares a streaming endpoint to attach to a running container. 95 rpc Attach(AttachRequest) returns (AttachResponse) {} 96 // PortForward prepares a streaming endpoint to forward ports from a PodSandbox. 97 rpc PortForward(PortForwardRequest) returns (PortForwardResponse) {} 98 99 // ContainerStats returns stats of the container. If the container does not 100 // exist, the call returns an error. 101 rpc ContainerStats(ContainerStatsRequest) returns (ContainerStatsResponse) {} 102 // ListContainerStats returns stats of all running containers. 103 rpc ListContainerStats(ListContainerStatsRequest) returns (ListContainerStatsResponse) {} 104 105 // UpdateRuntimeConfig updates the runtime configuration based on the given request. 106 rpc UpdateRuntimeConfig(UpdateRuntimeConfigRequest) returns (UpdateRuntimeConfigResponse) {} 107 108 // Status returns the status of the runtime. 109 rpc Status(StatusRequest) returns (StatusResponse) {} 110} 111 112// ImageService defines the public APIs for managing images. 113service ImageService { 114 // ListImages lists existing images. 115 rpc ListImages(ListImagesRequest) returns (ListImagesResponse) {} 116 // ImageStatus returns the status of the image. If the image is not 117 // present, returns a response with ImageStatusResponse.Image set to 118 // nil. 119 rpc ImageStatus(ImageStatusRequest) returns (ImageStatusResponse) {} 120 // PullImage pulls an image with authentication config. 121 rpc PullImage(PullImageRequest) returns (PullImageResponse) {} 122 // RemoveImage removes the image. 123 // This call is idempotent, and must not return an error if the image has 124 // already been removed. 125 rpc RemoveImage(RemoveImageRequest) returns (RemoveImageResponse) {} 126 // ImageFSInfo returns information of the filesystem that is used to store images. 127 rpc ImageFsInfo(ImageFsInfoRequest) returns (ImageFsInfoResponse) {} 128} 129 130message VersionRequest { 131 // Version of the kubelet runtime API. 132 string version = 1; 133} 134 135message VersionResponse { 136 // Version of the kubelet runtime API. 137 string version = 1; 138 // Name of the container runtime. 139 string runtime_name = 2; 140 // Version of the container runtime. The string must be 141 // semver-compatible. 142 string runtime_version = 3; 143 // API version of the container runtime. The string must be 144 // semver-compatible. 145 string runtime_api_version = 4; 146} 147 148// DNSConfig specifies the DNS servers and search domains of a sandbox. 149message DNSConfig { 150 // List of DNS servers of the cluster. 151 repeated string servers = 1; 152 // List of DNS search domains of the cluster. 153 repeated string searches = 2; 154 // List of DNS options. See https://linux.die.net/man/5/resolv.conf 155 // for all available options. 156 repeated string options = 3; 157} 158 159enum Protocol { 160 TCP = 0; 161 UDP = 1; 162 SCTP = 2; 163} 164 165// PortMapping specifies the port mapping configurations of a sandbox. 166message PortMapping { 167 // Protocol of the port mapping. 168 Protocol protocol = 1; 169 // Port number within the container. Default: 0 (not specified). 170 int32 container_port = 2; 171 // Port number on the host. Default: 0 (not specified). 172 int32 host_port = 3; 173 // Host IP. 174 string host_ip = 4; 175} 176 177enum MountPropagation { 178 // No mount propagation ("private" in Linux terminology). 179 PROPAGATION_PRIVATE = 0; 180 // Mounts get propagated from the host to the container ("rslave" in Linux). 181 PROPAGATION_HOST_TO_CONTAINER = 1; 182 // Mounts get propagated from the host to the container and from the 183 // container to the host ("rshared" in Linux). 184 PROPAGATION_BIDIRECTIONAL = 2; 185} 186 187// Mount specifies a host volume to mount into a container. 188message Mount { 189 // Path of the mount within the container. 190 string container_path = 1; 191 // Path of the mount on the host. If the hostPath doesn't exist, then runtimes 192 // should report error. If the hostpath is a symbolic link, runtimes should 193 // follow the symlink and mount the real destination to container. 194 string host_path = 2; 195 // If set, the mount is read-only. 196 bool readonly = 3; 197 // If set, the mount needs SELinux relabeling. 198 bool selinux_relabel = 4; 199 // Requested propagation mode. 200 MountPropagation propagation = 5; 201} 202 203// A NamespaceMode describes the intended namespace configuration for each 204// of the namespaces (Network, PID, IPC) in NamespaceOption. Runtimes should 205// map these modes as appropriate for the technology underlying the runtime. 206enum NamespaceMode { 207 // A POD namespace is common to all containers in a pod. 208 // For example, a container with a PID namespace of POD expects to view 209 // all of the processes in all of the containers in the pod. 210 POD = 0; 211 // A CONTAINER namespace is restricted to a single container. 212 // For example, a container with a PID namespace of CONTAINER expects to 213 // view only the processes in that container. 214 CONTAINER = 1; 215 // A NODE namespace is the namespace of the Kubernetes node. 216 // For example, a container with a PID namespace of NODE expects to view 217 // all of the processes on the host running the kubelet. 218 NODE = 2; 219 // TARGET targets the namespace of another container. When this is specified, 220 // a target_id must be specified in NamespaceOption and refer to a container 221 // previously created with NamespaceMode CONTAINER. This containers namespace 222 // will be made to match that of container target_id. 223 // For example, a container with a PID namespace of TARGET expects to view 224 // all of the processes that container target_id can view. 225 TARGET = 3; 226} 227 228// NamespaceOption provides options for Linux namespaces. 229message NamespaceOption { 230 // Network namespace for this container/sandbox. 231 // Note: There is currently no way to set CONTAINER scoped network in the Kubernetes API. 232 // Namespaces currently set by the kubelet: POD, NODE 233 NamespaceMode network = 1; 234 // PID namespace for this container/sandbox. 235 // Note: The CRI default is POD, but the v1.PodSpec default is CONTAINER. 236 // The kubelet's runtime manager will set this to CONTAINER explicitly for v1 pods. 237 // Namespaces currently set by the kubelet: POD, CONTAINER, NODE, TARGET 238 NamespaceMode pid = 2; 239 // IPC namespace for this container/sandbox. 240 // Note: There is currently no way to set CONTAINER scoped IPC in the Kubernetes API. 241 // Namespaces currently set by the kubelet: POD, NODE 242 NamespaceMode ipc = 3; 243 // Target Container ID for NamespaceMode of TARGET. This container must have been 244 // previously created in the same pod. It is not possible to specify different targets 245 // for each namespace. 246 string target_id = 4; 247} 248 249// Int64Value is the wrapper of int64. 250message Int64Value { 251 // The value. 252 int64 value = 1; 253} 254 255// LinuxSandboxSecurityContext holds linux security configuration that will be 256// applied to a sandbox. Note that: 257// 1) It does not apply to containers in the pods. 258// 2) It may not be applicable to a PodSandbox which does not contain any running 259// process. 260message LinuxSandboxSecurityContext { 261 // Configurations for the sandbox's namespaces. 262 // This will be used only if the PodSandbox uses namespace for isolation. 263 NamespaceOption namespace_options = 1; 264 // Optional SELinux context to be applied. 265 SELinuxOption selinux_options = 2; 266 // UID to run sandbox processes as, when applicable. 267 Int64Value run_as_user = 3; 268 // GID to run sandbox processes as, when applicable. run_as_group should only 269 // be specified when run_as_user is specified; otherwise, the runtime MUST error. 270 Int64Value run_as_group = 8; 271 // If set, the root filesystem of the sandbox is read-only. 272 bool readonly_rootfs = 4; 273 // List of groups applied to the first process run in the sandbox, in 274 // addition to the sandbox's primary GID. 275 repeated int64 supplemental_groups = 5; 276 // Indicates whether the sandbox will be asked to run a privileged 277 // container. If a privileged container is to be executed within it, this 278 // MUST be true. 279 // This allows a sandbox to take additional security precautions if no 280 // privileged containers are expected to be run. 281 bool privileged = 6; 282 // Seccomp profile for the sandbox. 283 SecurityProfile seccomp = 9; 284 // AppArmor profile for the sandbox. 285 SecurityProfile apparmor = 10; 286 // Seccomp profile for the sandbox, candidate values are: 287 // * runtime/default: the default profile for the container runtime 288 // * unconfined: unconfined profile, ie, no seccomp sandboxing 289 // * localhost/<full-path-to-profile>: the profile installed on the node. 290 // <full-path-to-profile> is the full path of the profile. 291 // Default: "", which is identical with unconfined. 292 string seccomp_profile_path = 7 [deprecated=true]; 293} 294 295// A security profile which can be used for sandboxes and containers. 296message SecurityProfile { 297 // Available profile types. 298 enum ProfileType { 299 // The container runtime default profile should be used. 300 RuntimeDefault = 0; 301 // Disable the feature for the sandbox or the container. 302 Unconfined = 1; 303 // A pre-defined profile on the node should be used. 304 Localhost = 2; 305 } 306 // Indicator which `ProfileType` should be applied. 307 ProfileType profile_type = 1; 308 // Indicates that a pre-defined profile on the node should be used. 309 // Must only be set if `ProfileType` is `Localhost`. 310 // For seccomp, it must be an absolute path to the seccomp profile. 311 // For AppArmor, this field is the AppArmor `<profile name>/` 312 string localhost_ref = 2; 313} 314 315// LinuxPodSandboxConfig holds platform-specific configurations for Linux 316// host platforms and Linux-based containers. 317message LinuxPodSandboxConfig { 318 // Parent cgroup of the PodSandbox. 319 // The cgroupfs style syntax will be used, but the container runtime can 320 // convert it to systemd semantics if needed. 321 string cgroup_parent = 1; 322 // LinuxSandboxSecurityContext holds sandbox security attributes. 323 LinuxSandboxSecurityContext security_context = 2; 324 // Sysctls holds linux sysctls config for the sandbox. 325 map<string, string> sysctls = 3; 326} 327 328// PodSandboxMetadata holds all necessary information for building the sandbox name. 329// The container runtime is encouraged to expose the metadata associated with the 330// PodSandbox in its user interface for better user experience. For example, 331// the runtime can construct a unique PodSandboxName based on the metadata. 332message PodSandboxMetadata { 333 // Pod name of the sandbox. Same as the pod name in the Pod ObjectMeta. 334 string name = 1; 335 // Pod UID of the sandbox. Same as the pod UID in the Pod ObjectMeta. 336 string uid = 2; 337 // Pod namespace of the sandbox. Same as the pod namespace in the Pod ObjectMeta. 338 string namespace = 3; 339 // Attempt number of creating the sandbox. Default: 0. 340 uint32 attempt = 4; 341} 342 343// PodSandboxConfig holds all the required and optional fields for creating a 344// sandbox. 345message PodSandboxConfig { 346 // Metadata of the sandbox. This information will uniquely identify the 347 // sandbox, and the runtime should leverage this to ensure correct 348 // operation. The runtime may also use this information to improve UX, such 349 // as by constructing a readable name. 350 PodSandboxMetadata metadata = 1; 351 // Hostname of the sandbox. Hostname could only be empty when the pod 352 // network namespace is NODE. 353 string hostname = 2; 354 // Path to the directory on the host in which container log files are 355 // stored. 356 // By default the log of a container going into the LogDirectory will be 357 // hooked up to STDOUT and STDERR. However, the LogDirectory may contain 358 // binary log files with structured logging data from the individual 359 // containers. For example, the files might be newline separated JSON 360 // structured logs, systemd-journald journal files, gRPC trace files, etc. 361 // E.g., 362 // PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/` 363 // ContainerConfig.LogPath = `containerName/Instance#.log` 364 // 365 // WARNING: Log management and how kubelet should interface with the 366 // container logs are under active discussion in 367 // https://issues.k8s.io/24677. There *may* be future change of direction 368 // for logging as the discussion carries on. 369 string log_directory = 3; 370 // DNS config for the sandbox. 371 DNSConfig dns_config = 4; 372 // Port mappings for the sandbox. 373 repeated PortMapping port_mappings = 5; 374 // Key-value pairs that may be used to scope and select individual resources. 375 map<string, string> labels = 6; 376 // Unstructured key-value map that may be set by the kubelet to store and 377 // retrieve arbitrary metadata. This will include any annotations set on a 378 // pod through the Kubernetes API. 379 // 380 // Annotations MUST NOT be altered by the runtime; the annotations stored 381 // here MUST be returned in the PodSandboxStatus associated with the pod 382 // this PodSandboxConfig creates. 383 // 384 // In general, in order to preserve a well-defined interface between the 385 // kubelet and the container runtime, annotations SHOULD NOT influence 386 // runtime behaviour. 387 // 388 // Annotations can also be useful for runtime authors to experiment with 389 // new features that are opaque to the Kubernetes APIs (both user-facing 390 // and the CRI). Whenever possible, however, runtime authors SHOULD 391 // consider proposing new typed fields for any new features instead. 392 map<string, string> annotations = 7; 393 // Optional configurations specific to Linux hosts. 394 LinuxPodSandboxConfig linux = 8; 395} 396 397message RunPodSandboxRequest { 398 // Configuration for creating a PodSandbox. 399 PodSandboxConfig config = 1; 400 // Named runtime configuration to use for this PodSandbox. 401 // If the runtime handler is unknown, this request should be rejected. An 402 // empty string should select the default handler, equivalent to the 403 // behavior before this feature was added. 404 // See https://git.k8s.io/enhancements/keps/sig-node/runtime-class.md 405 string runtime_handler = 2; 406} 407 408message RunPodSandboxResponse { 409 // ID of the PodSandbox to run. 410 string pod_sandbox_id = 1; 411} 412 413message StopPodSandboxRequest { 414 // ID of the PodSandbox to stop. 415 string pod_sandbox_id = 1; 416} 417 418message StopPodSandboxResponse {} 419 420message RemovePodSandboxRequest { 421 // ID of the PodSandbox to remove. 422 string pod_sandbox_id = 1; 423} 424 425message RemovePodSandboxResponse {} 426 427message PodSandboxStatusRequest { 428 // ID of the PodSandbox for which to retrieve status. 429 string pod_sandbox_id = 1; 430 // Verbose indicates whether to return extra information about the pod sandbox. 431 bool verbose = 2; 432} 433 434// PodIP represents an ip of a Pod 435message PodIP{ 436 // an ip is a string representation of an IPv4 or an IPv6 437 string ip = 1; 438} 439// PodSandboxNetworkStatus is the status of the network for a PodSandbox. 440message PodSandboxNetworkStatus { 441 // IP address of the PodSandbox. 442 string ip = 1; 443 // list of additional ips (not inclusive of PodSandboxNetworkStatus.Ip) of the PodSandBoxNetworkStatus 444 repeated PodIP additional_ips = 2; 445} 446 447// Namespace contains paths to the namespaces. 448message Namespace { 449 // Namespace options for Linux namespaces. 450 NamespaceOption options = 2; 451} 452 453// LinuxSandboxStatus contains status specific to Linux sandboxes. 454message LinuxPodSandboxStatus { 455 // Paths to the sandbox's namespaces. 456 Namespace namespaces = 1; 457} 458 459enum PodSandboxState { 460 SANDBOX_READY = 0; 461 SANDBOX_NOTREADY = 1; 462} 463 464// PodSandboxStatus contains the status of the PodSandbox. 465message PodSandboxStatus { 466 // ID of the sandbox. 467 string id = 1; 468 // Metadata of the sandbox. 469 PodSandboxMetadata metadata = 2; 470 // State of the sandbox. 471 PodSandboxState state = 3; 472 // Creation timestamp of the sandbox in nanoseconds. Must be > 0. 473 int64 created_at = 4; 474 // Network contains network status if network is handled by the runtime. 475 PodSandboxNetworkStatus network = 5; 476 // Linux-specific status to a pod sandbox. 477 LinuxPodSandboxStatus linux = 6; 478 // Labels are key-value pairs that may be used to scope and select individual resources. 479 map<string, string> labels = 7; 480 // Unstructured key-value map holding arbitrary metadata. 481 // Annotations MUST NOT be altered by the runtime; the value of this field 482 // MUST be identical to that of the corresponding PodSandboxConfig used to 483 // instantiate the pod sandbox this status represents. 484 map<string, string> annotations = 8; 485 // runtime configuration used for this PodSandbox. 486 string runtime_handler = 9; 487} 488 489message PodSandboxStatusResponse { 490 // Status of the PodSandbox. 491 PodSandboxStatus status = 1; 492 // Info is extra information of the PodSandbox. The key could be arbitrary string, and 493 // value should be in json format. The information could include anything useful for 494 // debug, e.g. network namespace for linux container based container runtime. 495 // It should only be returned non-empty when Verbose is true. 496 map<string, string> info = 2; 497} 498 499// PodSandboxStateValue is the wrapper of PodSandboxState. 500message PodSandboxStateValue { 501 // State of the sandbox. 502 PodSandboxState state = 1; 503} 504 505// PodSandboxFilter is used to filter a list of PodSandboxes. 506// All those fields are combined with 'AND' 507message PodSandboxFilter { 508 // ID of the sandbox. 509 string id = 1; 510 // State of the sandbox. 511 PodSandboxStateValue state = 2; 512 // LabelSelector to select matches. 513 // Only api.MatchLabels is supported for now and the requirements 514 // are ANDed. MatchExpressions is not supported yet. 515 map<string, string> label_selector = 3; 516} 517 518message ListPodSandboxRequest { 519 // PodSandboxFilter to filter a list of PodSandboxes. 520 PodSandboxFilter filter = 1; 521} 522 523 524// PodSandbox contains minimal information about a sandbox. 525message PodSandbox { 526 // ID of the PodSandbox. 527 string id = 1; 528 // Metadata of the PodSandbox. 529 PodSandboxMetadata metadata = 2; 530 // State of the PodSandbox. 531 PodSandboxState state = 3; 532 // Creation timestamps of the PodSandbox in nanoseconds. Must be > 0. 533 int64 created_at = 4; 534 // Labels of the PodSandbox. 535 map<string, string> labels = 5; 536 // Unstructured key-value map holding arbitrary metadata. 537 // Annotations MUST NOT be altered by the runtime; the value of this field 538 // MUST be identical to that of the corresponding PodSandboxConfig used to 539 // instantiate this PodSandbox. 540 map<string, string> annotations = 6; 541 // runtime configuration used for this PodSandbox. 542 string runtime_handler = 7; 543} 544 545message ListPodSandboxResponse { 546 // List of PodSandboxes. 547 repeated PodSandbox items = 1; 548} 549 550// ImageSpec is an internal representation of an image. 551message ImageSpec { 552 // Container's Image field (e.g. imageID or imageDigest). 553 string image = 1; 554 // Unstructured key-value map holding arbitrary metadata. 555 // ImageSpec Annotations can be used to help the runtime target specific 556 // images in multi-arch images. 557 map<string, string> annotations = 2; 558} 559 560message KeyValue { 561 string key = 1; 562 string value = 2; 563} 564 565// LinuxContainerResources specifies Linux specific configuration for 566// resources. 567// TODO: Consider using Resources from opencontainers/runtime-spec/specs-go 568// directly. 569message LinuxContainerResources { 570 // CPU CFS (Completely Fair Scheduler) period. Default: 0 (not specified). 571 int64 cpu_period = 1; 572 // CPU CFS (Completely Fair Scheduler) quota. Default: 0 (not specified). 573 int64 cpu_quota = 2; 574 // CPU shares (relative weight vs. other containers). Default: 0 (not specified). 575 int64 cpu_shares = 3; 576 // Memory limit in bytes. Default: 0 (not specified). 577 int64 memory_limit_in_bytes = 4; 578 // OOMScoreAdj adjusts the oom-killer score. Default: 0 (not specified). 579 int64 oom_score_adj = 5; 580 // CpusetCpus constrains the allowed set of logical CPUs. Default: "" (not specified). 581 string cpuset_cpus = 6; 582 // CpusetMems constrains the allowed set of memory nodes. Default: "" (not specified). 583 string cpuset_mems = 7; 584 // List of HugepageLimits to limit the HugeTLB usage of container per page size. Default: nil (not specified). 585 repeated HugepageLimit hugepage_limits = 8; 586} 587 588// HugepageLimit corresponds to the file`hugetlb.<hugepagesize>.limit_in_byte` in container level cgroup. 589// For example, `PageSize=1GB`, `Limit=1073741824` means setting `1073741824` bytes to hugetlb.1GB.limit_in_bytes. 590message HugepageLimit { 591 // The value of PageSize has the format <size><unit-prefix>B (2MB, 1GB), 592 // and must match the <hugepagesize> of the corresponding control file found in `hugetlb.<hugepagesize>.limit_in_bytes`. 593 // The values of <unit-prefix> are intended to be parsed using base 1024("1KB" = 1024, "1MB" = 1048576, etc). 594 string page_size = 1; 595 // limit in bytes of hugepagesize HugeTLB usage. 596 uint64 limit = 2; 597} 598 599// SELinuxOption are the labels to be applied to the container. 600message SELinuxOption { 601 string user = 1; 602 string role = 2; 603 string type = 3; 604 string level = 4; 605} 606 607// Capability contains the container capabilities to add or drop 608message Capability { 609 // List of capabilities to add. 610 repeated string add_capabilities = 1; 611 // List of capabilities to drop. 612 repeated string drop_capabilities = 2; 613} 614 615// LinuxContainerSecurityContext holds linux security configuration that will be applied to a container. 616message LinuxContainerSecurityContext { 617 // Capabilities to add or drop. 618 Capability capabilities = 1; 619 // If set, run container in privileged mode. 620 // Privileged mode is incompatible with the following options. If 621 // privileged is set, the following features MAY have no effect: 622 // 1. capabilities 623 // 2. selinux_options 624 // 4. seccomp 625 // 5. apparmor 626 // 627 // Privileged mode implies the following specific options are applied: 628 // 1. All capabilities are added. 629 // 2. Sensitive paths, such as kernel module paths within sysfs, are not masked. 630 // 3. Any sysfs and procfs mounts are mounted RW. 631 // 4. AppArmor confinement is not applied. 632 // 5. Seccomp restrictions are not applied. 633 // 6. The device cgroup does not restrict access to any devices. 634 // 7. All devices from the host's /dev are available within the container. 635 // 8. SELinux restrictions are not applied (e.g. label=disabled). 636 bool privileged = 2; 637 // Configurations for the container's namespaces. 638 // Only used if the container uses namespace for isolation. 639 NamespaceOption namespace_options = 3; 640 // SELinux context to be optionally applied. 641 SELinuxOption selinux_options = 4; 642 // UID to run the container process as. Only one of run_as_user and 643 // run_as_username can be specified at a time. 644 Int64Value run_as_user = 5; 645 // GID to run the container process as. run_as_group should only be specified 646 // when run_as_user or run_as_username is specified; otherwise, the runtime 647 // MUST error. 648 Int64Value run_as_group = 12; 649 // User name to run the container process as. If specified, the user MUST 650 // exist in the container image (i.e. in the /etc/passwd inside the image), 651 // and be resolved there by the runtime; otherwise, the runtime MUST error. 652 string run_as_username = 6; 653 // If set, the root filesystem of the container is read-only. 654 bool readonly_rootfs = 7; 655 // List of groups applied to the first process run in the container, in 656 // addition to the container's primary GID. 657 repeated int64 supplemental_groups = 8; 658 // no_new_privs defines if the flag for no_new_privs should be set on the 659 // container. 660 bool no_new_privs = 11; 661 // masked_paths is a slice of paths that should be masked by the container 662 // runtime, this can be passed directly to the OCI spec. 663 repeated string masked_paths = 13; 664 // readonly_paths is a slice of paths that should be set as readonly by the 665 // container runtime, this can be passed directly to the OCI spec. 666 repeated string readonly_paths = 14; 667 // Seccomp profile for the container. 668 SecurityProfile seccomp = 15; 669 // AppArmor profile for the container. 670 SecurityProfile apparmor = 16; 671 // AppArmor profile for the container, candidate values are: 672 // * runtime/default: equivalent to not specifying a profile. 673 // * unconfined: no profiles are loaded 674 // * localhost/<profile_name>: profile loaded on the node 675 // (localhost) by name. The possible profile names are detailed at 676 // https://gitlab.com/apparmor/apparmor/-/wikis/AppArmor_Core_Policy_Reference 677 string apparmor_profile = 9 [deprecated=true]; 678 // Seccomp profile for the container, candidate values are: 679 // * runtime/default: the default profile for the container runtime 680 // * unconfined: unconfined profile, ie, no seccomp sandboxing 681 // * localhost/<full-path-to-profile>: the profile installed on the node. 682 // <full-path-to-profile> is the full path of the profile. 683 // Default: "", which is identical with unconfined. 684 string seccomp_profile_path = 10 [deprecated=true]; 685} 686 687// LinuxContainerConfig contains platform-specific configuration for 688// Linux-based containers. 689message LinuxContainerConfig { 690 // Resources specification for the container. 691 LinuxContainerResources resources = 1; 692 // LinuxContainerSecurityContext configuration for the container. 693 LinuxContainerSecurityContext security_context = 2; 694} 695 696// WindowsContainerSecurityContext holds windows security configuration that will be applied to a container. 697message WindowsContainerSecurityContext { 698 // User name to run the container process as. If specified, the user MUST 699 // exist in the container image and be resolved there by the runtime; 700 // otherwise, the runtime MUST return error. 701 string run_as_username = 1; 702 703 // The contents of the GMSA credential spec to use to run this container. 704 string credential_spec = 2; 705} 706 707// WindowsContainerConfig contains platform-specific configuration for 708// Windows-based containers. 709message WindowsContainerConfig { 710 // Resources specification for the container. 711 WindowsContainerResources resources = 1; 712 // WindowsContainerSecurityContext configuration for the container. 713 WindowsContainerSecurityContext security_context = 2; 714} 715 716// WindowsContainerResources specifies Windows specific configuration for 717// resources. 718message WindowsContainerResources { 719 // CPU shares (relative weight vs. other containers). Default: 0 (not specified). 720 int64 cpu_shares = 1; 721 // Number of CPUs available to the container. Default: 0 (not specified). 722 int64 cpu_count = 2; 723 // Specifies the portion of processor cycles that this container can use as a percentage times 100. 724 int64 cpu_maximum = 3; 725 // Memory limit in bytes. Default: 0 (not specified). 726 int64 memory_limit_in_bytes = 4; 727} 728 729// ContainerMetadata holds all necessary information for building the container 730// name. The container runtime is encouraged to expose the metadata in its user 731// interface for better user experience. E.g., runtime can construct a unique 732// container name based on the metadata. Note that (name, attempt) is unique 733// within a sandbox for the entire lifetime of the sandbox. 734message ContainerMetadata { 735 // Name of the container. Same as the container name in the PodSpec. 736 string name = 1; 737 // Attempt number of creating the container. Default: 0. 738 uint32 attempt = 2; 739} 740 741// Device specifies a host device to mount into a container. 742message Device { 743 // Path of the device within the container. 744 string container_path = 1; 745 // Path of the device on the host. 746 string host_path = 2; 747 // Cgroups permissions of the device, candidates are one or more of 748 // * r - allows container to read from the specified device. 749 // * w - allows container to write to the specified device. 750 // * m - allows container to create device files that do not yet exist. 751 string permissions = 3; 752} 753 754// ContainerConfig holds all the required and optional fields for creating a 755// container. 756message ContainerConfig { 757 // Metadata of the container. This information will uniquely identify the 758 // container, and the runtime should leverage this to ensure correct 759 // operation. The runtime may also use this information to improve UX, such 760 // as by constructing a readable name. 761 ContainerMetadata metadata = 1 ; 762 // Image to use. 763 ImageSpec image = 2; 764 // Command to execute (i.e., entrypoint for docker) 765 repeated string command = 3; 766 // Args for the Command (i.e., command for docker) 767 repeated string args = 4; 768 // Current working directory of the command. 769 string working_dir = 5; 770 // List of environment variable to set in the container. 771 repeated KeyValue envs = 6; 772 // Mounts for the container. 773 repeated Mount mounts = 7; 774 // Devices for the container. 775 repeated Device devices = 8; 776 // Key-value pairs that may be used to scope and select individual resources. 777 // Label keys are of the form: 778 // label-key ::= prefixed-name | name 779 // prefixed-name ::= prefix '/' name 780 // prefix ::= DNS_SUBDOMAIN 781 // name ::= DNS_LABEL 782 map<string, string> labels = 9; 783 // Unstructured key-value map that may be used by the kubelet to store and 784 // retrieve arbitrary metadata. 785 // 786 // Annotations MUST NOT be altered by the runtime; the annotations stored 787 // here MUST be returned in the ContainerStatus associated with the container 788 // this ContainerConfig creates. 789 // 790 // In general, in order to preserve a well-defined interface between the 791 // kubelet and the container runtime, annotations SHOULD NOT influence 792 // runtime behaviour. 793 map<string, string> annotations = 10; 794 // Path relative to PodSandboxConfig.LogDirectory for container to store 795 // the log (STDOUT and STDERR) on the host. 796 // E.g., 797 // PodSandboxConfig.LogDirectory = `/var/log/pods/<podUID>/` 798 // ContainerConfig.LogPath = `containerName/Instance#.log` 799 // 800 // WARNING: Log management and how kubelet should interface with the 801 // container logs are under active discussion in 802 // https://issues.k8s.io/24677. There *may* be future change of direction 803 // for logging as the discussion carries on. 804 string log_path = 11; 805 806 // Variables for interactive containers, these have very specialized 807 // use-cases (e.g. debugging). 808 // TODO: Determine if we need to continue supporting these fields that are 809 // part of Kubernetes's Container Spec. 810 bool stdin = 12; 811 bool stdin_once = 13; 812 bool tty = 14; 813 814 // Configuration specific to Linux containers. 815 LinuxContainerConfig linux = 15; 816 // Configuration specific to Windows containers. 817 WindowsContainerConfig windows = 16; 818} 819 820message CreateContainerRequest { 821 // ID of the PodSandbox in which the container should be created. 822 string pod_sandbox_id = 1; 823 // Config of the container. 824 ContainerConfig config = 2; 825 // Config of the PodSandbox. This is the same config that was passed 826 // to RunPodSandboxRequest to create the PodSandbox. It is passed again 827 // here just for easy reference. The PodSandboxConfig is immutable and 828 // remains the same throughout the lifetime of the pod. 829 PodSandboxConfig sandbox_config = 3; 830} 831 832message CreateContainerResponse { 833 // ID of the created container. 834 string container_id = 1; 835} 836 837message StartContainerRequest { 838 // ID of the container to start. 839 string container_id = 1; 840} 841 842message StartContainerResponse {} 843 844message StopContainerRequest { 845 // ID of the container to stop. 846 string container_id = 1; 847 // Timeout in seconds to wait for the container to stop before forcibly 848 // terminating it. Default: 0 (forcibly terminate the container immediately) 849 int64 timeout = 2; 850} 851 852message StopContainerResponse {} 853 854message RemoveContainerRequest { 855 // ID of the container to remove. 856 string container_id = 1; 857} 858 859message RemoveContainerResponse {} 860 861enum ContainerState { 862 CONTAINER_CREATED = 0; 863 CONTAINER_RUNNING = 1; 864 CONTAINER_EXITED = 2; 865 CONTAINER_UNKNOWN = 3; 866} 867 868// ContainerStateValue is the wrapper of ContainerState. 869message ContainerStateValue { 870 // State of the container. 871 ContainerState state = 1; 872} 873 874// ContainerFilter is used to filter containers. 875// All those fields are combined with 'AND' 876message ContainerFilter { 877 // ID of the container. 878 string id = 1; 879 // State of the container. 880 ContainerStateValue state = 2; 881 // ID of the PodSandbox. 882 string pod_sandbox_id = 3; 883 // LabelSelector to select matches. 884 // Only api.MatchLabels is supported for now and the requirements 885 // are ANDed. MatchExpressions is not supported yet. 886 map<string, string> label_selector = 4; 887} 888 889message ListContainersRequest { 890 ContainerFilter filter = 1; 891} 892 893// Container provides the runtime information for a container, such as ID, hash, 894// state of the container. 895message Container { 896 // ID of the container, used by the container runtime to identify 897 // a container. 898 string id = 1; 899 // ID of the sandbox to which this container belongs. 900 string pod_sandbox_id = 2; 901 // Metadata of the container. 902 ContainerMetadata metadata = 3; 903 // Spec of the image. 904 ImageSpec image = 4; 905 // Reference to the image in use. For most runtimes, this should be an 906 // image ID. 907 string image_ref = 5; 908 // State of the container. 909 ContainerState state = 6; 910 // Creation time of the container in nanoseconds. 911 int64 created_at = 7; 912 // Key-value pairs that may be used to scope and select individual resources. 913 map<string, string> labels = 8; 914 // Unstructured key-value map holding arbitrary metadata. 915 // Annotations MUST NOT be altered by the runtime; the value of this field 916 // MUST be identical to that of the corresponding ContainerConfig used to 917 // instantiate this Container. 918 map<string, string> annotations = 9; 919} 920 921message ListContainersResponse { 922 // List of containers. 923 repeated Container containers = 1; 924} 925 926message ContainerStatusRequest { 927 // ID of the container for which to retrieve status. 928 string container_id = 1; 929 // Verbose indicates whether to return extra information about the container. 930 bool verbose = 2; 931} 932 933// ContainerStatus represents the status of a container. 934message ContainerStatus { 935 // ID of the container. 936 string id = 1; 937 // Metadata of the container. 938 ContainerMetadata metadata = 2; 939 // Status of the container. 940 ContainerState state = 3; 941 // Creation time of the container in nanoseconds. 942 int64 created_at = 4; 943 // Start time of the container in nanoseconds. Default: 0 (not specified). 944 int64 started_at = 5; 945 // Finish time of the container in nanoseconds. Default: 0 (not specified). 946 int64 finished_at = 6; 947 // Exit code of the container. Only required when finished_at != 0. Default: 0. 948 int32 exit_code = 7; 949 // Spec of the image. 950 ImageSpec image = 8; 951 // Reference to the image in use. For most runtimes, this should be an 952 // image ID 953 string image_ref = 9; 954 // Brief CamelCase string explaining why container is in its current state. 955 string reason = 10; 956 // Human-readable message indicating details about why container is in its 957 // current state. 958 string message = 11; 959 // Key-value pairs that may be used to scope and select individual resources. 960 map<string,string> labels = 12; 961 // Unstructured key-value map holding arbitrary metadata. 962 // Annotations MUST NOT be altered by the runtime; the value of this field 963 // MUST be identical to that of the corresponding ContainerConfig used to 964 // instantiate the Container this status represents. 965 map<string,string> annotations = 13; 966 // Mounts for the container. 967 repeated Mount mounts = 14; 968 // Log path of container. 969 string log_path = 15; 970} 971 972message ContainerStatusResponse { 973 // Status of the container. 974 ContainerStatus status = 1; 975 // Info is extra information of the Container. The key could be arbitrary string, and 976 // value should be in json format. The information could include anything useful for 977 // debug, e.g. pid for linux container based container runtime. 978 // It should only be returned non-empty when Verbose is true. 979 map<string, string> info = 2; 980} 981 982message UpdateContainerResourcesRequest { 983 // ID of the container to update. 984 string container_id = 1; 985 // Resource configuration specific to Linux containers. 986 LinuxContainerResources linux = 2; 987 // Resource configuration specific to Windows containers. 988 WindowsContainerResources windows = 3; 989 // Unstructured key-value map holding arbitrary additional information for 990 // container resources updating. This can be used for specifying experimental 991 // resources to update or other options to use when updating the container. 992 map<string, string> annotations = 4; 993} 994 995message UpdateContainerResourcesResponse {} 996 997message ExecSyncRequest { 998 // ID of the container. 999 string container_id = 1; 1000 // Command to execute. 1001 repeated string cmd = 2; 1002 // Timeout in seconds to stop the command. Default: 0 (run forever). 1003 int64 timeout = 3; 1004} 1005 1006message ExecSyncResponse { 1007 // Captured command stdout output. 1008 bytes stdout = 1; 1009 // Captured command stderr output. 1010 bytes stderr = 2; 1011 // Exit code the command finished with. Default: 0 (success). 1012 int32 exit_code = 3; 1013} 1014 1015message ExecRequest { 1016 // ID of the container in which to execute the command. 1017 string container_id = 1; 1018 // Command to execute. 1019 repeated string cmd = 2; 1020 // Whether to exec the command in a TTY. 1021 bool tty = 3; 1022 // Whether to stream stdin. 1023 // One of `stdin`, `stdout`, and `stderr` MUST be true. 1024 bool stdin = 4; 1025 // Whether to stream stdout. 1026 // One of `stdin`, `stdout`, and `stderr` MUST be true. 1027 bool stdout = 5; 1028 // Whether to stream stderr. 1029 // One of `stdin`, `stdout`, and `stderr` MUST be true. 1030 // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported 1031 // in this case. The output of stdout and stderr will be combined to a 1032 // single stream. 1033 bool stderr = 6; 1034} 1035 1036message ExecResponse { 1037 // Fully qualified URL of the exec streaming server. 1038 string url = 1; 1039} 1040 1041message AttachRequest { 1042 // ID of the container to which to attach. 1043 string container_id = 1; 1044 // Whether to stream stdin. 1045 // One of `stdin`, `stdout`, and `stderr` MUST be true. 1046 bool stdin = 2; 1047 // Whether the process being attached is running in a TTY. 1048 // This must match the TTY setting in the ContainerConfig. 1049 bool tty = 3; 1050 // Whether to stream stdout. 1051 // One of `stdin`, `stdout`, and `stderr` MUST be true. 1052 bool stdout = 4; 1053 // Whether to stream stderr. 1054 // One of `stdin`, `stdout`, and `stderr` MUST be true. 1055 // If `tty` is true, `stderr` MUST be false. Multiplexing is not supported 1056 // in this case. The output of stdout and stderr will be combined to a 1057 // single stream. 1058 bool stderr = 5; 1059} 1060 1061message AttachResponse { 1062 // Fully qualified URL of the attach streaming server. 1063 string url = 1; 1064} 1065 1066message PortForwardRequest { 1067 // ID of the container to which to forward the port. 1068 string pod_sandbox_id = 1; 1069 // Port to forward. 1070 repeated int32 port = 2; 1071} 1072 1073message PortForwardResponse { 1074 // Fully qualified URL of the port-forward streaming server. 1075 string url = 1; 1076} 1077 1078message ImageFilter { 1079 // Spec of the image. 1080 ImageSpec image = 1; 1081} 1082 1083message ListImagesRequest { 1084 // Filter to list images. 1085 ImageFilter filter = 1; 1086} 1087 1088// Basic information about a container image. 1089message Image { 1090 // ID of the image. 1091 string id = 1; 1092 // Other names by which this image is known. 1093 repeated string repo_tags = 2; 1094 // Digests by which this image is known. 1095 repeated string repo_digests = 3; 1096 // Size of the image in bytes. Must be > 0. 1097 uint64 size = 4; 1098 // UID that will run the command(s). This is used as a default if no user is 1099 // specified when creating the container. UID and the following user name 1100 // are mutually exclusive. 1101 Int64Value uid = 5; 1102 // User name that will run the command(s). This is used if UID is not set 1103 // and no user is specified when creating container. 1104 string username = 6; 1105 // ImageSpec for image which includes annotations 1106 ImageSpec spec = 7; 1107} 1108 1109message ListImagesResponse { 1110 // List of images. 1111 repeated Image images = 1; 1112} 1113 1114message ImageStatusRequest { 1115 // Spec of the image. 1116 ImageSpec image = 1; 1117 // Verbose indicates whether to return extra information about the image. 1118 bool verbose = 2; 1119} 1120 1121message ImageStatusResponse { 1122 // Status of the image. 1123 Image image = 1; 1124 // Info is extra information of the Image. The key could be arbitrary string, and 1125 // value should be in json format. The information could include anything useful 1126 // for debug, e.g. image config for oci image based container runtime. 1127 // It should only be returned non-empty when Verbose is true. 1128 map<string, string> info = 2; 1129} 1130 1131// AuthConfig contains authorization information for connecting to a registry. 1132message AuthConfig { 1133 string username = 1; 1134 string password = 2; 1135 string auth = 3; 1136 string server_address = 4; 1137 // IdentityToken is used to authenticate the user and get 1138 // an access token for the registry. 1139 string identity_token = 5; 1140 // RegistryToken is a bearer token to be sent to a registry 1141 string registry_token = 6; 1142} 1143 1144message PullImageRequest { 1145 // Spec of the image. 1146 ImageSpec image = 1; 1147 // Authentication configuration for pulling the image. 1148 AuthConfig auth = 2; 1149 // Config of the PodSandbox, which is used to pull image in PodSandbox context. 1150 PodSandboxConfig sandbox_config = 3; 1151} 1152 1153message PullImageResponse { 1154 // Reference to the image in use. For most runtimes, this should be an 1155 // image ID or digest. 1156 string image_ref = 1; 1157} 1158 1159message RemoveImageRequest { 1160 // Spec of the image to remove. 1161 ImageSpec image = 1; 1162} 1163 1164message RemoveImageResponse {} 1165 1166message NetworkConfig { 1167 // CIDR to use for pod IP addresses. If the CIDR is empty, runtimes 1168 // should omit it. 1169 string pod_cidr = 1; 1170} 1171 1172message RuntimeConfig { 1173 NetworkConfig network_config = 1; 1174} 1175 1176message UpdateRuntimeConfigRequest { 1177 RuntimeConfig runtime_config = 1; 1178} 1179 1180message UpdateRuntimeConfigResponse {} 1181 1182// RuntimeCondition contains condition information for the runtime. 1183// There are 2 kinds of runtime conditions: 1184// 1. Required conditions: Conditions are required for kubelet to work 1185// properly. If any required condition is unmet, the node will be not ready. 1186// The required conditions include: 1187// * RuntimeReady: RuntimeReady means the runtime is up and ready to accept 1188// basic containers e.g. container only needs host network. 1189// * NetworkReady: NetworkReady means the runtime network is up and ready to 1190// accept containers which require container network. 1191// 2. Optional conditions: Conditions are informative to the user, but kubelet 1192// will not rely on. Since condition type is an arbitrary string, all conditions 1193// not required are optional. These conditions will be exposed to users to help 1194// them understand the status of the system. 1195message RuntimeCondition { 1196 // Type of runtime condition. 1197 string type = 1; 1198 // Status of the condition, one of true/false. Default: false. 1199 bool status = 2; 1200 // Brief CamelCase string containing reason for the condition's last transition. 1201 string reason = 3; 1202 // Human-readable message indicating details about last transition. 1203 string message = 4; 1204} 1205 1206// RuntimeStatus is information about the current status of the runtime. 1207message RuntimeStatus { 1208 // List of current observed runtime conditions. 1209 repeated RuntimeCondition conditions = 1; 1210} 1211 1212message StatusRequest { 1213 // Verbose indicates whether to return extra information about the runtime. 1214 bool verbose = 1; 1215} 1216 1217message StatusResponse { 1218 // Status of the Runtime. 1219 RuntimeStatus status = 1; 1220 // Info is extra information of the Runtime. The key could be arbitrary string, and 1221 // value should be in json format. The information could include anything useful for 1222 // debug, e.g. plugins used by the container runtime. 1223 // It should only be returned non-empty when Verbose is true. 1224 map<string, string> info = 2; 1225} 1226 1227message ImageFsInfoRequest {} 1228 1229// UInt64Value is the wrapper of uint64. 1230message UInt64Value { 1231 // The value. 1232 uint64 value = 1; 1233} 1234 1235// FilesystemIdentifier uniquely identify the filesystem. 1236message FilesystemIdentifier{ 1237 // Mountpoint of a filesystem. 1238 string mountpoint = 1; 1239} 1240 1241// FilesystemUsage provides the filesystem usage information. 1242message FilesystemUsage { 1243 // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1244 int64 timestamp = 1; 1245 // The unique identifier of the filesystem. 1246 FilesystemIdentifier fs_id = 2; 1247 // UsedBytes represents the bytes used for images on the filesystem. 1248 // This may differ from the total bytes used on the filesystem and may not 1249 // equal CapacityBytes - AvailableBytes. 1250 UInt64Value used_bytes = 3; 1251 // InodesUsed represents the inodes used by the images. 1252 // This may not equal InodesCapacity - InodesAvailable because the underlying 1253 // filesystem may also be used for purposes other than storing images. 1254 UInt64Value inodes_used = 4; 1255} 1256 1257message ImageFsInfoResponse { 1258 // Information of image filesystem(s). 1259 repeated FilesystemUsage image_filesystems = 1; 1260} 1261 1262message ContainerStatsRequest{ 1263 // ID of the container for which to retrieve stats. 1264 string container_id = 1; 1265} 1266 1267message ContainerStatsResponse { 1268 // Stats of the container. 1269 ContainerStats stats = 1; 1270} 1271 1272message ListContainerStatsRequest{ 1273 // Filter for the list request. 1274 ContainerStatsFilter filter = 1; 1275} 1276 1277// ContainerStatsFilter is used to filter containers. 1278// All those fields are combined with 'AND' 1279message ContainerStatsFilter { 1280 // ID of the container. 1281 string id = 1; 1282 // ID of the PodSandbox. 1283 string pod_sandbox_id = 2; 1284 // LabelSelector to select matches. 1285 // Only api.MatchLabels is supported for now and the requirements 1286 // are ANDed. MatchExpressions is not supported yet. 1287 map<string, string> label_selector = 3; 1288} 1289 1290message ListContainerStatsResponse { 1291 // Stats of the container. 1292 repeated ContainerStats stats = 1; 1293} 1294 1295// ContainerAttributes provides basic information of the container. 1296message ContainerAttributes { 1297 // ID of the container. 1298 string id = 1; 1299 // Metadata of the container. 1300 ContainerMetadata metadata = 2; 1301 // Key-value pairs that may be used to scope and select individual resources. 1302 map<string,string> labels = 3; 1303 // Unstructured key-value map holding arbitrary metadata. 1304 // Annotations MUST NOT be altered by the runtime; the value of this field 1305 // MUST be identical to that of the corresponding ContainerConfig used to 1306 // instantiate the Container this status represents. 1307 map<string,string> annotations = 4; 1308} 1309 1310// ContainerStats provides the resource usage statistics for a container. 1311message ContainerStats { 1312 // Information of the container. 1313 ContainerAttributes attributes = 1; 1314 // CPU usage gathered from the container. 1315 CpuUsage cpu = 2; 1316 // Memory usage gathered from the container. 1317 MemoryUsage memory = 3; 1318 // Usage of the writable layer. 1319 FilesystemUsage writable_layer = 4; 1320} 1321 1322// CpuUsage provides the CPU usage information. 1323message CpuUsage { 1324 // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1325 int64 timestamp = 1; 1326 // Cumulative CPU usage (sum across all cores) since object creation. 1327 UInt64Value usage_core_nano_seconds = 2; 1328} 1329 1330// MemoryUsage provides the memory usage information. 1331message MemoryUsage { 1332 // Timestamp in nanoseconds at which the information were collected. Must be > 0. 1333 int64 timestamp = 1; 1334 // The amount of working set memory in bytes. 1335 UInt64Value working_set_bytes = 2; 1336} 1337 1338message ReopenContainerLogRequest { 1339 // ID of the container for which to reopen the log. 1340 string container_id = 1; 1341} 1342 1343message ReopenContainerLogResponse{ 1344} 1345