1/* 2Copyright 2016 The Kubernetes Authors. 3 4Licensed under the Apache License, Version 2.0 (the "License"); 5you may not use this file except in compliance with the License. 6You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10Unless required by applicable law or agreed to in writing, software 11distributed under the License is distributed on an "AS IS" BASIS, 12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13See the License for the specific language governing permissions and 14limitations under the License. 15*/ 16 17package v1beta1 18 19import ( 20 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 "k8s.io/apimachinery/pkg/util/intstr" 23) 24 25// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget. 26type PodDisruptionBudgetSpec struct { 27 // An eviction is allowed if at least "minAvailable" pods selected by 28 // "selector" will still be available after the eviction, i.e. even in the 29 // absence of the evicted pod. So for example you can prevent all voluntary 30 // evictions by specifying "100%". 31 MinAvailable *intstr.IntOrString `json:"minAvailable,omitempty" protobuf:"bytes,1,opt,name=minAvailable"` 32 33 // Label query over pods whose evictions are managed by the disruption 34 // budget. 35 Selector *metav1.LabelSelector `json:"selector,omitempty" protobuf:"bytes,2,opt,name=selector"` 36 37 // An eviction is allowed if at most "maxUnavailable" pods selected by 38 // "selector" are unavailable after the eviction, i.e. even in absence of 39 // the evicted pod. For example, one can prevent all voluntary evictions 40 // by specifying 0. This is a mutually exclusive setting with "minAvailable". 41 MaxUnavailable *intstr.IntOrString `json:"maxUnavailable,omitempty" protobuf:"bytes,3,opt,name=maxUnavailable"` 42} 43 44// PodDisruptionBudgetStatus represents information about the status of a 45// PodDisruptionBudget. Status may trail the actual state of a system. 46type PodDisruptionBudgetStatus struct { 47 // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other 48 // status informatio is valid only if observedGeneration equals to PDB's object generation. 49 // +optional 50 ObservedGeneration int64 `json:"observedGeneration,omitempty" protobuf:"varint,1,opt,name=observedGeneration"` 51 52 // DisruptedPods contains information about pods whose eviction was 53 // processed by the API server eviction subresource handler but has not 54 // yet been observed by the PodDisruptionBudget controller. 55 // A pod will be in this map from the time when the API server processed the 56 // eviction request to the time when the pod is seen by PDB controller 57 // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod 58 // and the value is the time when the API server processed the eviction request. If 59 // the deletion didn't occur and a pod is still there it will be removed from 60 // the list automatically by PodDisruptionBudget controller after some time. 61 // If everything goes smooth this map should be empty for the most of the time. 62 // Large number of entries in the map may indicate problems with pod deletions. 63 DisruptedPods map[string]metav1.Time `json:"disruptedPods" protobuf:"bytes,2,rep,name=disruptedPods"` 64 65 // Number of pod disruptions that are currently allowed. 66 PodDisruptionsAllowed int32 `json:"disruptionsAllowed" protobuf:"varint,3,opt,name=disruptionsAllowed"` 67 68 // current number of healthy pods 69 CurrentHealthy int32 `json:"currentHealthy" protobuf:"varint,4,opt,name=currentHealthy"` 70 71 // minimum desired number of healthy pods 72 DesiredHealthy int32 `json:"desiredHealthy" protobuf:"varint,5,opt,name=desiredHealthy"` 73 74 // total number of pods counted by this disruption budget 75 ExpectedPods int32 `json:"expectedPods" protobuf:"varint,6,opt,name=expectedPods"` 76} 77 78// +genclient 79// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 80 81// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods 82type PodDisruptionBudget struct { 83 metav1.TypeMeta `json:",inline"` 84 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 85 86 // Specification of the desired behavior of the PodDisruptionBudget. 87 Spec PodDisruptionBudgetSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 88 // Most recently observed status of the PodDisruptionBudget. 89 Status PodDisruptionBudgetStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 90} 91 92// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 93 94// PodDisruptionBudgetList is a collection of PodDisruptionBudgets. 95type PodDisruptionBudgetList struct { 96 metav1.TypeMeta `json:",inline"` 97 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 98 Items []PodDisruptionBudget `json:"items" protobuf:"bytes,2,rep,name=items"` 99} 100 101// +genclient 102// +genclient:noVerbs 103// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 104 105// Eviction evicts a pod from its node subject to certain policies and safety constraints. 106// This is a subresource of Pod. A request to cause such an eviction is 107// created by POSTing to .../pods/<pod name>/evictions. 108type Eviction struct { 109 metav1.TypeMeta `json:",inline"` 110 111 // ObjectMeta describes the pod that is being evicted. 112 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 113 114 // DeleteOptions may be provided 115 DeleteOptions *metav1.DeleteOptions `json:"deleteOptions,omitempty" protobuf:"bytes,2,opt,name=deleteOptions"` 116} 117 118// +genclient 119// +genclient:nonNamespaced 120// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 121 122// PodSecurityPolicy governs the ability to make requests that affect the Security Context 123// that will be applied to a pod and container. 124type PodSecurityPolicy struct { 125 metav1.TypeMeta `json:",inline"` 126 // Standard object's metadata. 127 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 128 // +optional 129 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 130 131 // spec defines the policy enforced. 132 // +optional 133 Spec PodSecurityPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 134} 135 136// PodSecurityPolicySpec defines the policy enforced. 137type PodSecurityPolicySpec struct { 138 // privileged determines if a pod can request to be run as privileged. 139 // +optional 140 Privileged bool `json:"privileged,omitempty" protobuf:"varint,1,opt,name=privileged"` 141 // defaultAddCapabilities is the default set of capabilities that will be added to the container 142 // unless the pod spec specifically drops the capability. You may not list a capability in both 143 // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly 144 // allowed, and need not be included in the allowedCapabilities list. 145 // +optional 146 DefaultAddCapabilities []v1.Capability `json:"defaultAddCapabilities,omitempty" protobuf:"bytes,2,rep,name=defaultAddCapabilities,casttype=k8s.io/api/core/v1.Capability"` 147 // requiredDropCapabilities are the capabilities that will be dropped from the container. These 148 // are required to be dropped and cannot be added. 149 // +optional 150 RequiredDropCapabilities []v1.Capability `json:"requiredDropCapabilities,omitempty" protobuf:"bytes,3,rep,name=requiredDropCapabilities,casttype=k8s.io/api/core/v1.Capability"` 151 // allowedCapabilities is a list of capabilities that can be requested to add to the container. 152 // Capabilities in this field may be added at the pod author's discretion. 153 // You must not list a capability in both allowedCapabilities and requiredDropCapabilities. 154 // +optional 155 AllowedCapabilities []v1.Capability `json:"allowedCapabilities,omitempty" protobuf:"bytes,4,rep,name=allowedCapabilities,casttype=k8s.io/api/core/v1.Capability"` 156 // volumes is a white list of allowed volume plugins. Empty indicates that 157 // no volumes may be used. To allow all volumes you may use '*'. 158 // +optional 159 Volumes []FSType `json:"volumes,omitempty" protobuf:"bytes,5,rep,name=volumes,casttype=FSType"` 160 // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec. 161 // +optional 162 HostNetwork bool `json:"hostNetwork,omitempty" protobuf:"varint,6,opt,name=hostNetwork"` 163 // hostPorts determines which host port ranges are allowed to be exposed. 164 // +optional 165 HostPorts []HostPortRange `json:"hostPorts,omitempty" protobuf:"bytes,7,rep,name=hostPorts"` 166 // hostPID determines if the policy allows the use of HostPID in the pod spec. 167 // +optional 168 HostPID bool `json:"hostPID,omitempty" protobuf:"varint,8,opt,name=hostPID"` 169 // hostIPC determines if the policy allows the use of HostIPC in the pod spec. 170 // +optional 171 HostIPC bool `json:"hostIPC,omitempty" protobuf:"varint,9,opt,name=hostIPC"` 172 // seLinux is the strategy that will dictate the allowable labels that may be set. 173 SELinux SELinuxStrategyOptions `json:"seLinux" protobuf:"bytes,10,opt,name=seLinux"` 174 // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set. 175 RunAsUser RunAsUserStrategyOptions `json:"runAsUser" protobuf:"bytes,11,opt,name=runAsUser"` 176 // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. 177 SupplementalGroups SupplementalGroupsStrategyOptions `json:"supplementalGroups" protobuf:"bytes,12,opt,name=supplementalGroups"` 178 // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext. 179 FSGroup FSGroupStrategyOptions `json:"fsGroup" protobuf:"bytes,13,opt,name=fsGroup"` 180 // readOnlyRootFilesystem when set to true will force containers to run with a read only root file 181 // system. If the container specifically requests to run with a non-read only root file system 182 // the PSP should deny the pod. 183 // If set to false the container may run with a read only root file system if it wishes but it 184 // will not be forced to. 185 // +optional 186 ReadOnlyRootFilesystem bool `json:"readOnlyRootFilesystem,omitempty" protobuf:"varint,14,opt,name=readOnlyRootFilesystem"` 187 // defaultAllowPrivilegeEscalation controls the default setting for whether a 188 // process can gain more privileges than its parent process. 189 // +optional 190 DefaultAllowPrivilegeEscalation *bool `json:"defaultAllowPrivilegeEscalation,omitempty" protobuf:"varint,15,opt,name=defaultAllowPrivilegeEscalation"` 191 // allowPrivilegeEscalation determines if a pod can request to allow 192 // privilege escalation. If unspecified, defaults to true. 193 // +optional 194 AllowPrivilegeEscalation *bool `json:"allowPrivilegeEscalation,omitempty" protobuf:"varint,16,opt,name=allowPrivilegeEscalation"` 195 // allowedHostPaths is a white list of allowed host paths. Empty indicates 196 // that all host paths may be used. 197 // +optional 198 AllowedHostPaths []AllowedHostPath `json:"allowedHostPaths,omitempty" protobuf:"bytes,17,rep,name=allowedHostPaths"` 199 // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all 200 // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes 201 // is allowed in the "volumes" field. 202 // +optional 203 AllowedFlexVolumes []AllowedFlexVolume `json:"allowedFlexVolumes,omitempty" protobuf:"bytes,18,rep,name=allowedFlexVolumes"` 204} 205 206// AllowedHostPath defines the host volume conditions that will be enabled by a policy 207// for pods to use. It requires the path prefix to be defined. 208type AllowedHostPath struct { 209 // pathPrefix is the path prefix that the host volume must match. 210 // It does not support `*`. 211 // Trailing slashes are trimmed when validating the path prefix with a host path. 212 // 213 // Examples: 214 // `/foo` would allow `/foo`, `/foo/` and `/foo/bar` 215 // `/foo` would not allow `/food` or `/etc/foo` 216 PathPrefix string `json:"pathPrefix,omitempty" protobuf:"bytes,1,rep,name=pathPrefix"` 217} 218 219// FSType gives strong typing to different file systems that are used by volumes. 220type FSType string 221 222var ( 223 AzureFile FSType = "azureFile" 224 Flocker FSType = "flocker" 225 FlexVolume FSType = "flexVolume" 226 HostPath FSType = "hostPath" 227 EmptyDir FSType = "emptyDir" 228 GCEPersistentDisk FSType = "gcePersistentDisk" 229 AWSElasticBlockStore FSType = "awsElasticBlockStore" 230 GitRepo FSType = "gitRepo" 231 Secret FSType = "secret" 232 NFS FSType = "nfs" 233 ISCSI FSType = "iscsi" 234 Glusterfs FSType = "glusterfs" 235 PersistentVolumeClaim FSType = "persistentVolumeClaim" 236 RBD FSType = "rbd" 237 Cinder FSType = "cinder" 238 CephFS FSType = "cephFS" 239 DownwardAPI FSType = "downwardAPI" 240 FC FSType = "fc" 241 ConfigMap FSType = "configMap" 242 Quobyte FSType = "quobyte" 243 AzureDisk FSType = "azureDisk" 244 All FSType = "*" 245) 246 247// AllowedFlexVolume represents a single Flexvolume that is allowed to be used. 248type AllowedFlexVolume struct { 249 // driver is the name of the Flexvolume driver. 250 Driver string `json:"driver" protobuf:"bytes,1,opt,name=driver"` 251} 252 253// HostPortRange defines a range of host ports that will be enabled by a policy 254// for pods to use. It requires both the start and end to be defined. 255type HostPortRange struct { 256 // min is the start of the range, inclusive. 257 Min int32 `json:"min" protobuf:"varint,1,opt,name=min"` 258 // max is the end of the range, inclusive. 259 Max int32 `json:"max" protobuf:"varint,2,opt,name=max"` 260} 261 262// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy. 263type SELinuxStrategyOptions struct { 264 // rule is the strategy that will dictate the allowable labels that may be set. 265 Rule SELinuxStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=SELinuxStrategy"` 266 // seLinuxOptions required to run as; required for MustRunAs 267 // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ 268 // +optional 269 SELinuxOptions *v1.SELinuxOptions `json:"seLinuxOptions,omitempty" protobuf:"bytes,2,opt,name=seLinuxOptions"` 270} 271 272// SELinuxStrategy denotes strategy types for generating SELinux options for a 273// Security Context. 274type SELinuxStrategy string 275 276const ( 277 // SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied. 278 SELinuxStrategyMustRunAs SELinuxStrategy = "MustRunAs" 279 // SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels. 280 SELinuxStrategyRunAsAny SELinuxStrategy = "RunAsAny" 281) 282 283// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. 284type RunAsUserStrategyOptions struct { 285 // rule is the strategy that will dictate the allowable RunAsUser values that may be set. 286 Rule RunAsUserStrategy `json:"rule" protobuf:"bytes,1,opt,name=rule,casttype=RunAsUserStrategy"` 287 // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid 288 // then supply a single range with the same start and end. Required for MustRunAs. 289 // +optional 290 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 291} 292 293// IDRange provides a min/max of an allowed range of IDs. 294type IDRange struct { 295 // min is the start of the range, inclusive. 296 Min int64 `json:"min" protobuf:"varint,1,opt,name=min"` 297 // max is the end of the range, inclusive. 298 Max int64 `json:"max" protobuf:"varint,2,opt,name=max"` 299} 300 301// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a 302// Security Context. 303type RunAsUserStrategy string 304 305const ( 306 // RunAsUserStrategyMustRunAs means that container must run as a particular uid. 307 RunAsUserStrategyMustRunAs RunAsUserStrategy = "MustRunAs" 308 // RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid. 309 RunAsUserStrategyMustRunAsNonRoot RunAsUserStrategy = "MustRunAsNonRoot" 310 // RunAsUserStrategyRunAsAny means that container may make requests for any uid. 311 RunAsUserStrategyRunAsAny RunAsUserStrategy = "RunAsAny" 312) 313 314// FSGroupStrategyOptions defines the strategy type and options used to create the strategy. 315type FSGroupStrategyOptions struct { 316 // rule is the strategy that will dictate what FSGroup is used in the SecurityContext. 317 // +optional 318 Rule FSGroupStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=FSGroupStrategyType"` 319 // ranges are the allowed ranges of fs groups. If you would like to force a single 320 // fs group then supply a single range with the same start and end. Required for MustRunAs. 321 // +optional 322 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 323} 324 325// FSGroupStrategyType denotes strategy types for generating FSGroup values for a 326// SecurityContext 327type FSGroupStrategyType string 328 329const ( 330 // FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied. 331 FSGroupStrategyMustRunAs FSGroupStrategyType = "MustRunAs" 332 // FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels. 333 FSGroupStrategyRunAsAny FSGroupStrategyType = "RunAsAny" 334) 335 336// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. 337type SupplementalGroupsStrategyOptions struct { 338 // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext. 339 // +optional 340 Rule SupplementalGroupsStrategyType `json:"rule,omitempty" protobuf:"bytes,1,opt,name=rule,casttype=SupplementalGroupsStrategyType"` 341 // ranges are the allowed ranges of supplemental groups. If you would like to force a single 342 // supplemental group then supply a single range with the same start and end. Required for MustRunAs. 343 // +optional 344 Ranges []IDRange `json:"ranges,omitempty" protobuf:"bytes,2,rep,name=ranges"` 345} 346 347// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental 348// groups for a SecurityContext. 349type SupplementalGroupsStrategyType string 350 351const ( 352 // SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid. 353 SupplementalGroupsStrategyMustRunAs SupplementalGroupsStrategyType = "MustRunAs" 354 // SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid. 355 SupplementalGroupsStrategyRunAsAny SupplementalGroupsStrategyType = "RunAsAny" 356) 357 358// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 359 360// PodSecurityPolicyList is a list of PodSecurityPolicy objects. 361type PodSecurityPolicyList struct { 362 metav1.TypeMeta `json:",inline"` 363 // Standard list metadata. 364 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata 365 // +optional 366 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 367 368 // items is a list of schema objects. 369 Items []PodSecurityPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` 370} 371