1/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8    http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = 'proto2';
21
22package k8s.io.api.admissionregistration.v1beta1;
23
24import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/runtime/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
27
28// Package-wide variables from generator "generated".
29option go_package = "v1beta1";
30
31// MutatingWebhook describes an admission webhook and the resources and operations it applies to.
32message MutatingWebhook {
33  // The name of the admission webhook.
34  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
35  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
36  // of the organization.
37  // Required.
38  optional string name = 1;
39
40  // ClientConfig defines how to communicate with the hook.
41  // Required
42  optional WebhookClientConfig clientConfig = 2;
43
44  // Rules describes what operations on what resources/subresources the webhook cares about.
45  // The webhook cares about an operation if it matches _any_ Rule.
46  // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
47  // from putting the cluster in a state which cannot be recovered from without completely
48  // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
49  // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
50  repeated RuleWithOperations rules = 3;
51
52  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
53  // allowed values are Ignore or Fail. Defaults to Ignore.
54  // +optional
55  optional string failurePolicy = 4;
56
57  // matchPolicy defines how the "rules" list is used to match incoming requests.
58  // Allowed values are "Exact" or "Equivalent".
59  //
60  // - Exact: match a request only if it exactly matches a specified rule.
61  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
62  // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
63  // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
64  //
65  // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
66  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
67  // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
68  // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
69  //
70  // Defaults to "Exact"
71  // +optional
72  optional string matchPolicy = 9;
73
74  // NamespaceSelector decides whether to run the webhook on an object based
75  // on whether the namespace for that object matches the selector. If the
76  // object itself is a namespace, the matching is performed on
77  // object.metadata.labels. If the object is another cluster scoped resource,
78  // it never skips the webhook.
79  //
80  // For example, to run the webhook on any objects whose namespace is not
81  // associated with "runlevel" of "0" or "1";  you will set the selector as
82  // follows:
83  // "namespaceSelector": {
84  //   "matchExpressions": [
85  //     {
86  //       "key": "runlevel",
87  //       "operator": "NotIn",
88  //       "values": [
89  //         "0",
90  //         "1"
91  //       ]
92  //     }
93  //   ]
94  // }
95  //
96  // If instead you want to only run the webhook on any objects whose
97  // namespace is associated with the "environment" of "prod" or "staging";
98  // you will set the selector as follows:
99  // "namespaceSelector": {
100  //   "matchExpressions": [
101  //     {
102  //       "key": "environment",
103  //       "operator": "In",
104  //       "values": [
105  //         "prod",
106  //         "staging"
107  //       ]
108  //     }
109  //   ]
110  // }
111  //
112  // See
113  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
114  // for more examples of label selectors.
115  //
116  // Default to the empty LabelSelector, which matches everything.
117  // +optional
118  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
119
120  // ObjectSelector decides whether to run the webhook based on if the
121  // object has matching labels. objectSelector is evaluated against both
122  // the oldObject and newObject that would be sent to the webhook, and
123  // is considered to match if either object matches the selector. A null
124  // object (oldObject in the case of create, or newObject in the case of
125  // delete) or an object that cannot have labels (like a
126  // DeploymentRollback or a PodProxyOptions object) is not considered to
127  // match.
128  // Use the object selector only if the webhook is opt-in, because end
129  // users may skip the admission webhook by setting the labels.
130  // Default to the empty LabelSelector, which matches everything.
131  // +optional
132  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 11;
133
134  // SideEffects states whether this webhookk has side effects.
135  // Acceptable values are: Unknown, None, Some, NoneOnDryRun
136  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
137  // rejected by a future step in the admission change and the side effects therefore need to be undone.
138  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
139  // sideEffects == Unknown or Some. Defaults to Unknown.
140  // +optional
141  optional string sideEffects = 6;
142
143  // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
144  // the webhook call will be ignored or the API call will fail based on the
145  // failure policy.
146  // The timeout value must be between 1 and 30 seconds.
147  // Default to 30 seconds.
148  // +optional
149  optional int32 timeoutSeconds = 7;
150
151  // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
152  // versions the Webhook expects. API server will try to use first version in
153  // the list which it supports. If none of the versions specified in this list
154  // supported by API server, validation will fail for this object.
155  // If a persisted webhook configuration specifies allowed versions and does not
156  // include any versions known to the API Server, calls to the webhook will fail
157  // and be subject to the failure policy.
158  // Default to `['v1beta1']`.
159  // +optional
160  repeated string admissionReviewVersions = 8;
161
162  // reinvocationPolicy indicates whether this webhook should be called multiple times as part of a single admission evaluation.
163  // Allowed values are "Never" and "IfNeeded".
164  //
165  // Never: the webhook will not be called more than once in a single admission evaluation.
166  //
167  // IfNeeded: the webhook will be called at least one additional time as part of the admission evaluation
168  // if the object being admitted is modified by other admission plugins after the initial webhook call.
169  // Webhooks that specify this option *must* be idempotent, able to process objects they previously admitted.
170  // Note:
171  // * the number of additional invocations is not guaranteed to be exactly one.
172  // * if additional invocations result in further modifications to the object, webhooks are not guaranteed to be invoked again.
173  // * webhooks that use this option may be reordered to minimize the number of additional invocations.
174  // * to validate an object after all mutations are guaranteed complete, use a validating admission webhook instead.
175  //
176  // Defaults to "Never".
177  // +optional
178  optional string reinvocationPolicy = 10;
179}
180
181// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
182// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 MutatingWebhookConfiguration instead.
183message MutatingWebhookConfiguration {
184  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
185  // +optional
186  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
187
188  // Webhooks is a list of webhooks and the affected resources and operations.
189  // +optional
190  // +patchMergeKey=name
191  // +patchStrategy=merge
192  repeated MutatingWebhook Webhooks = 2;
193}
194
195// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
196message MutatingWebhookConfigurationList {
197  // Standard list metadata.
198  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
199  // +optional
200  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
201
202  // List of MutatingWebhookConfiguration.
203  repeated MutatingWebhookConfiguration items = 2;
204}
205
206// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
207// to make sure that all the tuple expansions are valid.
208message Rule {
209  // APIGroups is the API groups the resources belong to. '*' is all groups.
210  // If '*' is present, the length of the slice must be one.
211  // Required.
212  repeated string apiGroups = 1;
213
214  // APIVersions is the API versions the resources belong to. '*' is all versions.
215  // If '*' is present, the length of the slice must be one.
216  // Required.
217  repeated string apiVersions = 2;
218
219  // Resources is a list of resources this rule applies to.
220  //
221  // For example:
222  // 'pods' means pods.
223  // 'pods/log' means the log subresource of pods.
224  // '*' means all resources, but not subresources.
225  // 'pods/*' means all subresources of pods.
226  // '*/scale' means all scale subresources.
227  // '*/*' means all resources and their subresources.
228  //
229  // If wildcard is present, the validation rule will ensure resources do not
230  // overlap with each other.
231  //
232  // Depending on the enclosing object, subresources might not be allowed.
233  // Required.
234  repeated string resources = 3;
235
236  // scope specifies the scope of this rule.
237  // Valid values are "Cluster", "Namespaced", and "*"
238  // "Cluster" means that only cluster-scoped resources will match this rule.
239  // Namespace API objects are cluster-scoped.
240  // "Namespaced" means that only namespaced resources will match this rule.
241  // "*" means that there are no scope restrictions.
242  // Subresources match the scope of their parent resource.
243  // Default is "*".
244  //
245  // +optional
246  optional string scope = 4;
247}
248
249// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
250// sure that all the tuple expansions are valid.
251message RuleWithOperations {
252  // Operations is the operations the admission hook cares about - CREATE, UPDATE, or *
253  // for all operations.
254  // If '*' is present, the length of the slice must be one.
255  // Required.
256  repeated string operations = 1;
257
258  // Rule is embedded, it describes other criteria of the rule, like
259  // APIGroups, APIVersions, Resources, etc.
260  optional Rule rule = 2;
261}
262
263// ServiceReference holds a reference to Service.legacy.k8s.io
264message ServiceReference {
265  // `namespace` is the namespace of the service.
266  // Required
267  optional string namespace = 1;
268
269  // `name` is the name of the service.
270  // Required
271  optional string name = 2;
272
273  // `path` is an optional URL path which will be sent in any request to
274  // this service.
275  // +optional
276  optional string path = 3;
277
278  // If specified, the port on the service that hosting webhook.
279  // Default to 443 for backward compatibility.
280  // `port` should be a valid port number (1-65535, inclusive).
281  // +optional
282  optional int32 port = 4;
283}
284
285// ValidatingWebhook describes an admission webhook and the resources and operations it applies to.
286message ValidatingWebhook {
287  // The name of the admission webhook.
288  // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
289  // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
290  // of the organization.
291  // Required.
292  optional string name = 1;
293
294  // ClientConfig defines how to communicate with the hook.
295  // Required
296  optional WebhookClientConfig clientConfig = 2;
297
298  // Rules describes what operations on what resources/subresources the webhook cares about.
299  // The webhook cares about an operation if it matches _any_ Rule.
300  // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
301  // from putting the cluster in a state which cannot be recovered from without completely
302  // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
303  // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
304  repeated RuleWithOperations rules = 3;
305
306  // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
307  // allowed values are Ignore or Fail. Defaults to Ignore.
308  // +optional
309  optional string failurePolicy = 4;
310
311  // matchPolicy defines how the "rules" list is used to match incoming requests.
312  // Allowed values are "Exact" or "Equivalent".
313  //
314  // - Exact: match a request only if it exactly matches a specified rule.
315  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
316  // but "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
317  // a request to apps/v1beta1 or extensions/v1beta1 would not be sent to the webhook.
318  //
319  // - Equivalent: match a request if modifies a resource listed in rules, even via another API group or version.
320  // For example, if deployments can be modified via apps/v1, apps/v1beta1, and extensions/v1beta1,
321  // and "rules" only included `apiGroups:["apps"], apiVersions:["v1"], resources: ["deployments"]`,
322  // a request to apps/v1beta1 or extensions/v1beta1 would be converted to apps/v1 and sent to the webhook.
323  //
324  // Defaults to "Exact"
325  // +optional
326  optional string matchPolicy = 9;
327
328  // NamespaceSelector decides whether to run the webhook on an object based
329  // on whether the namespace for that object matches the selector. If the
330  // object itself is a namespace, the matching is performed on
331  // object.metadata.labels. If the object is another cluster scoped resource,
332  // it never skips the webhook.
333  //
334  // For example, to run the webhook on any objects whose namespace is not
335  // associated with "runlevel" of "0" or "1";  you will set the selector as
336  // follows:
337  // "namespaceSelector": {
338  //   "matchExpressions": [
339  //     {
340  //       "key": "runlevel",
341  //       "operator": "NotIn",
342  //       "values": [
343  //         "0",
344  //         "1"
345  //       ]
346  //     }
347  //   ]
348  // }
349  //
350  // If instead you want to only run the webhook on any objects whose
351  // namespace is associated with the "environment" of "prod" or "staging";
352  // you will set the selector as follows:
353  // "namespaceSelector": {
354  //   "matchExpressions": [
355  //     {
356  //       "key": "environment",
357  //       "operator": "In",
358  //       "values": [
359  //         "prod",
360  //         "staging"
361  //       ]
362  //     }
363  //   ]
364  // }
365  //
366  // See
367  // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels
368  // for more examples of label selectors.
369  //
370  // Default to the empty LabelSelector, which matches everything.
371  // +optional
372  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
373
374  // ObjectSelector decides whether to run the webhook based on if the
375  // object has matching labels. objectSelector is evaluated against both
376  // the oldObject and newObject that would be sent to the webhook, and
377  // is considered to match if either object matches the selector. A null
378  // object (oldObject in the case of create, or newObject in the case of
379  // delete) or an object that cannot have labels (like a
380  // DeploymentRollback or a PodProxyOptions object) is not considered to
381  // match.
382  // Use the object selector only if the webhook is opt-in, because end
383  // users may skip the admission webhook by setting the labels.
384  // Default to the empty LabelSelector, which matches everything.
385  // +optional
386  optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector objectSelector = 10;
387
388  // SideEffects states whether this webhookk has side effects.
389  // Acceptable values are: Unknown, None, Some, NoneOnDryRun
390  // Webhooks with side effects MUST implement a reconciliation system, since a request may be
391  // rejected by a future step in the admission change and the side effects therefore need to be undone.
392  // Requests with the dryRun attribute will be auto-rejected if they match a webhook with
393  // sideEffects == Unknown or Some. Defaults to Unknown.
394  // +optional
395  optional string sideEffects = 6;
396
397  // TimeoutSeconds specifies the timeout for this webhook. After the timeout passes,
398  // the webhook call will be ignored or the API call will fail based on the
399  // failure policy.
400  // The timeout value must be between 1 and 30 seconds.
401  // Default to 30 seconds.
402  // +optional
403  optional int32 timeoutSeconds = 7;
404
405  // AdmissionReviewVersions is an ordered list of preferred `AdmissionReview`
406  // versions the Webhook expects. API server will try to use first version in
407  // the list which it supports. If none of the versions specified in this list
408  // supported by API server, validation will fail for this object.
409  // If a persisted webhook configuration specifies allowed versions and does not
410  // include any versions known to the API Server, calls to the webhook will fail
411  // and be subject to the failure policy.
412  // Default to `['v1beta1']`.
413  // +optional
414  repeated string admissionReviewVersions = 8;
415}
416
417// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
418// Deprecated in v1.16, planned for removal in v1.19. Use admissionregistration.k8s.io/v1 ValidatingWebhookConfiguration instead.
419message ValidatingWebhookConfiguration {
420  // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
421  // +optional
422  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
423
424  // Webhooks is a list of webhooks and the affected resources and operations.
425  // +optional
426  // +patchMergeKey=name
427  // +patchStrategy=merge
428  repeated ValidatingWebhook Webhooks = 2;
429}
430
431// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
432message ValidatingWebhookConfigurationList {
433  // Standard list metadata.
434  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
435  // +optional
436  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
437
438  // List of ValidatingWebhookConfiguration.
439  repeated ValidatingWebhookConfiguration items = 2;
440}
441
442// WebhookClientConfig contains the information to make a TLS
443// connection with the webhook
444message WebhookClientConfig {
445  // `url` gives the location of the webhook, in standard URL form
446  // (`scheme://host:port/path`). Exactly one of `url` or `service`
447  // must be specified.
448  //
449  // The `host` should not refer to a service running in the cluster; use
450  // the `service` field instead. The host might be resolved via external
451  // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
452  // in-cluster DNS as that would be a layering violation). `host` may
453  // also be an IP address.
454  //
455  // Please note that using `localhost` or `127.0.0.1` as a `host` is
456  // risky unless you take great care to run this webhook on all hosts
457  // which run an apiserver which might need to make calls to this
458  // webhook. Such installs are likely to be non-portable, i.e., not easy
459  // to turn up in a new cluster.
460  //
461  // The scheme must be "https"; the URL must begin with "https://".
462  //
463  // A path is optional, and if present may be any string permissible in
464  // a URL. You may use the path to pass an arbitrary string to the
465  // webhook, for example, a cluster identifier.
466  //
467  // Attempting to use a user or basic auth e.g. "user:password@" is not
468  // allowed. Fragments ("#...") and query parameters ("?...") are not
469  // allowed, either.
470  //
471  // +optional
472  optional string url = 3;
473
474  // `service` is a reference to the service for this webhook. Either
475  // `service` or `url` must be specified.
476  //
477  // If the webhook is running within the cluster, then you should use `service`.
478  //
479  // +optional
480  optional ServiceReference service = 1;
481
482  // `caBundle` is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
483  // If unspecified, system trust roots on the apiserver are used.
484  // +optional
485  optional bytes caBundle = 2;
486}
487
488