1/* 2Copyright 2016 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17package v1beta1 18 19import ( 20 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 "k8s.io/apimachinery/pkg/util/intstr" 23) 24 25// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. 26type PodDisruptionBudgetSpec struct { 27 // An eviction is allowed if at least "minAvailable" pods selected by 28 // "selector" will still be available after the eviction, i.e. even in the 29 // absence of the evicted pod. So for example you can prevent all voluntary 30 // evictions by specifying "100%". 31 MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"` 32 33 // Label query over pods whose evictions are managed by the disruption 34 // budget. 35 Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"` 36 37 // An eviction is allowed if at most "maxUnavailable" pods selected by 38 // "selector" are unavailable after the eviction, i.e. even in absence of 39 // the evicted pod. For example, one can prevent all voluntary evictions 40 // by specifying 0. This is a mutually exclusive setting with "minAvailable". 41 MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"` 42} 43 44// PodDisruptionBudgetStatus represents information about the status of a 45// PodDisruptionBudget. Status may trail the actual state of a system. 46type PodDisruptionBudgetStatus struct { 47 // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other 48 // status informatio is valid only if observedGeneration equals to PDB's object generation. 49 // +optional 50 ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` 51 52 // DisruptedPods contains information about pods whose eviction was 53 // processed by the API server eviction subresource handler but has not 54 // yet been observed by the PodDisruptionBudget controller. 55 // A pod will be in this map from the time when the API server processed the 56 // eviction request to the time when the pod is seen by PDB controller 57 // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod 58 // and the value is the time when the API server processed the eviction request. If 59 // the deletion didn't occur and a pod is still there it will be removed from 60 // the list automatically by PodDisruptionBudget controller after some time. 61 // If everything goes smooth this map should be empty for the most of the time. 62 // Large number of entries in the map may indicate problems with pod deletions. 63 DisruptedPods map[string]metav1.Time `json:"disruptedPods" protobuf:"bytes,2,rep,name=disruptedPods"` 64 65 // Number of pod disruptions that are currently allowed. 66 PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"` 67 68 // current number of healthy pods 69 CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"` 70 71 // minimum desired number of healthy pods 72 DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"` 73 74 // total number of pods counted by this disruption budget 75 ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"` 76} 77 78// +genclient 79// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 80 81// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods 82type PodDisruptionBudget struct { 83 metav1.TypeMeta `json:",inline"` 84 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 85 86 // Specification of the desired behavior of the PodDisruptionBudget. 87 Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 88 // Most recently observed status of the PodDisruptionBudget. 89 Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 90} 91 92// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 93 94// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. 95type PodDisruptionBudgetList struct { 96 metav1.TypeMeta `json:",inline"` 97 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 98 Items []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"` 99} 100 101// +genclient 102// +genclient:noVerbs 103// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 104 105// Eviction evicts a pod from its node subject to certain policies and safety constraints. 106// This is a subresource of Pod. A request to cause such an eviction is 107// created by POSTing to .../pods/<pod name>/evictions. 108type Eviction struct { 109 metav1.TypeMeta `json:",inline"` 110 111 // ObjectMeta describes the pod that is being evicted. 112 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 113 114 // DeleteOptions may be provided 115 DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"` 116} 117 118// +genclient 119// +genclient:nonNamespaced 120// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 121 122// PodSecurityPolicy governs the ability to make requests that affect the Security Context 123// that will be applied to a pod and container. 124type PodSecurityPolicy struct { 125 metav1.TypeMeta `json:",inline"` 126 // Standard object's metadata. 127 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 128 // +optional 129 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 130 131 // spec defines the policy enforced. 132 // +optional 133 Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 134} 135 136// PodSecurityPolicySpec defines the policy enforced. 137type PodSecurityPolicySpec struct { 138 // privileged determines if a pod can request to be run as privileged. 139 // +optional 140 Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` 141 // defaultAddCapabilities is the default set of capabilities that will be added to the container 142 // unless the pod spec specifically drops the capability. You may not list a capability in both 143 // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly 144 // allowed, and need not be included in the allowedCapabilities list. 145 // +optional 146 DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` 147 // requiredDropCapabilities are the capabilities that will be dropped from the container. These 148 // are required to be dropped and cannot be added. 149 // +optional 150 RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` 151 // allowedCapabilities is a list of capabilities that can be requested to add to the container. 152 // Capabilities in this field may be added at the pod author's discretion. 153 // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. 154 // +optional 155 AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` 156 // volumes is a white list of allowed volume plugins. Empty indicates that 157 // no volumes may be used. To allow all volumes you may use '*'. 158 // +optional 159 Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` 160 // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. 161 // +optional 162 HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"` 163 // hostPorts determines which host port ranges are allowed to be exposed. 164 // +optional 165 HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"` 166 // hostPID determines if the policy allows the use of HostPID in the pod spec. 167 // +optional 168 HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"` 169 // hostIPC determines if the policy allows the use of HostIPC in the pod spec. 170 // +optional 171 HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"` 172 // seLinux is the strategy that will dictate the allowable labels that may be set. 173 SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` 174 // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. 175 RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` 176 // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. 177 SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` 178 // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. 179 FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` 180 // readOnlyRootFilesystem when set to true will force containers to run with a read only root file 181 // system. If the container specifically requests to run with a non-read only root file system 182 // the PSP should deny the pod. 183 // If set to false the container may run with a read only root file system if it wishes but it 184 // will not be forced to. 185 // +optional 186 ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` 187 // defaultAllowPrivilegeEscalation controls the default setting for whether a 188 // process can gain more privileges than its parent process. 189 // +optional 190 DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` 191 // allowPrivilegeEscalation determines if a pod can request to allow 192 // privilege escalation. If unspecified, defaults to true. 193 // +optional 194 AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` 195 // allowedHostPaths is a white list of allowed host paths. Empty indicates 196 // that all host paths may be used. 197 // +optional 198 AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` 199 // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all 200 // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes 201 // is allowed in the "volumes" field. 202 // +optional 203 AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` 204 // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. 205 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered 206 // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. 207 // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. 208 // 209 // Examples: 210 // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. 211 // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. 212 // +optional 213 AllowedUnsafeSysctls []string `json:"allowedUnsafeSysctls,omitempty" protobuf:"bytes,19,rep,name=allowedUnsafeSysctls"` 214 // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. 215 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered 216 // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. 217 // 218 // Examples: 219 // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. 220 // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. 221 // +optional 222 ForbiddenSysctls []string `json:"forbiddenSysctls,omitempty" protobuf:"bytes,20,rep,name=forbiddenSysctls"` 223} 224 225// AllowedHostPath defines the host volume conditions that will be enabled by a policy 226// for pods to use. It requires the path prefix to be defined. 227type AllowedHostPath struct { 228 // pathPrefix is the path prefix that the host volume must match. 229 // It does not support `*`. 230 // Trailing slashes are trimmed when validating the path prefix with a host path. 231 // 232 // Examples: 233 // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` 234 // `/foo` would not allow `/food` or `/etc/foo` 235 PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` 236 237 // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly. 238 // +optional 239 ReadOnly bool `json:"readOnly,omitempty" protobuf:"varint,2,opt,name=readOnly"` 240} 241 242// FSType gives strong typing to different file systems that are used by volumes. 243type FSType string 244 245var ( 246 AzureFile FSType = "azureFile" 247 Flocker FSType = "flocker" 248 FlexVolume FSType = "flexVolume" 249 HostPath FSType = "hostPath" 250 EmptyDir FSType = "emptyDir" 251 GCEPersistentDisk FSType = "gcePersistentDisk" 252 AWSElasticBlockStore FSType = "awsElasticBlockStore" 253 GitRepo FSType = "gitRepo" 254 Secret FSType = "secret" 255 NFS FSType = "nfs" 256 ISCSI FSType = "iscsi" 257 Glusterfs FSType = "glusterfs" 258 PersistentVolumeClaim FSType = "persistentVolumeClaim" 259 RBD FSType = "rbd" 260 Cinder FSType = "cinder" 261 CephFS FSType = "cephFS" 262 DownwardAPI FSType = "downwardAPI" 263 FC FSType = "fc" 264 ConfigMap FSType = "configMap" 265 Quobyte FSType = "quobyte" 266 AzureDisk FSType = "azureDisk" 267 All FSType = "*" 268) 269 270// AllowedFlexVolume represents a single Flexvolume that is allowed to be used. 271type AllowedFlexVolume struct { 272 // driver is the name of the Flexvolume driver. 273 Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` 274} 275 276// HostPortRange defines a range of host ports that will be enabled by a policy 277// for pods to use. It requires both the start and end to be defined. 278type HostPortRange struct { 279 // min is the start of the range, inclusive. 280 Min int32 `json:"min" protobuf:"varint,1,opt,name=min"` 281 // max is the end of the range, inclusive. 282 Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` 283} 284 285// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. 286type SELinuxStrategyOptions struct { 287 // rule is the strategy that will dictate the allowable labels that may be set. 288 Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` 289 // seLinuxOptions required to run as; required for MustRunAs 290 // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 291 // +optional 292 SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` 293} 294 295// SELinuxStrategy denotes strategy types for generating SELinux options for a 296// Security Context. 297type SELinuxStrategy string 298 299const ( 300 // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. 301 SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" 302 // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. 303 SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" 304) 305 306// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. 307type RunAsUserStrategyOptions struct { 308 // rule is the strategy that will dictate the allowable RunAsUser values that may be set. 309 Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` 310 // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid 311 // then supply a single range with the same start and end. Required for MustRunAs. 312 // +optional 313 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 314} 315 316// IDRange provides a min/max of an allowed range of IDs. 317type IDRange struct { 318 // min is the start of the range, inclusive. 319 Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` 320 // max is the end of the range, inclusive. 321 Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` 322} 323 324// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a 325// Security Context. 326type RunAsUserStrategy string 327 328const ( 329 // RunAsUserStrategyMustRunAs means that container must run as a particular uid. 330 RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" 331 // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. 332 RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" 333 // RunAsUserStrategyRunAsAny means that container may make requests for any uid. 334 RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" 335) 336 337// FSGroupStrategyOptions defines the strategy type and options used to create the strategy. 338type FSGroupStrategyOptions struct { 339 // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. 340 // +optional 341 Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` 342 // ranges are the allowed ranges of fs groups. If you would like to force a single 343 // fs group then supply a single range with the same start and end. Required for MustRunAs. 344 // +optional 345 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 346} 347 348// FSGroupStrategyType denotes strategy types for generating FSGroup values for a 349// SecurityContext 350type FSGroupStrategyType string 351 352const ( 353 // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. 354 FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" 355 // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. 356 FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" 357) 358 359// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. 360type SupplementalGroupsStrategyOptions struct { 361 // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. 362 // +optional 363 Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` 364 // ranges are the allowed ranges of supplemental groups. If you would like to force a single 365 // supplemental group then supply a single range with the same start and end. Required for MustRunAs. 366 // +optional 367 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 368} 369 370// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental 371// groups for a SecurityContext. 372type SupplementalGroupsStrategyType string 373 374const ( 375 // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. 376 SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" 377 // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. 378 SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" 379) 380 381// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 382 383// PodSecurityPolicyList is a list of PodSecurityPolicy objects. 384type PodSecurityPolicyList struct { 385 metav1.TypeMeta `json:",inline"` 386 // Standard list metadata. 387 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 388 // +optional 389 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 390 391 // items is a list of schema objects. 392 Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` 393} 394