Google Git
Sign in
cue / cue / b13155ba5e82ce9392c71ccebf23813d404ff148 / . / doc / tutorial / kubernetes / quick / cue.mod / gen / k8s.io / api / extensions / v1beta1 / types_go_gen.cue
blob: 0e1b5a31f039339b5f365e8083d39afc1484111e [file] [log] [blame]
// Code generated by cue get go. DO NOT EDIT.
//cue:generate cue get go k8s.io/api/extensions/v1beta1
package v1beta1
import (
"k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
)
// describes the attributes of a scale subresource
ScaleSpec :: {
// desired number of instances for the scaled object.
// +optional
replicas?: int32 @go(Replicas) @protobuf(1,varint,opt)
}
// represents the current status of a scale subresource.
ScaleStatus :: {
// actual number of observed instances of the scaled object.
replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
// label query over pods that should match the replicas count. More info: http://kubernetes.io/docs/user-guide/labels#label-selectors
// +optional
selector?: {[string]: string} @go(Selector,map[string]string) @protobuf(2,bytes,rep)
// label selector for pods that should match the replicas count. This is a serializated
// version of both map-based and more expressive set-based selectors. This is done to
// avoid introspection in the clients. The string will be in the same format as the
// query-param syntax. If the target type only supports map-based selectors, both this
// field and map-based selector field are populated.
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
// +optional
targetSelector?: string @go(TargetSelector) @protobuf(3,bytes,opt)
}
// represents a scaling request for a resource.
Scale :: {
metav1.TypeMeta
// Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata.
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// defines the behavior of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.
// +optional
spec?: ScaleSpec @go(Spec) @protobuf(2,bytes,opt)
// current status of the scale. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status. Read-only.
// +optional
status?: ScaleStatus @go(Status) @protobuf(3,bytes,opt)
}
// Dummy definition
ReplicationControllerDummy :: {
metav1.TypeMeta
}
// DEPRECATED - This group version of Deployment is deprecated by apps/v1beta2/Deployment. See the release notes for
// more information.
// Deployment enables declarative updates for Pods and ReplicaSets.
Deployment :: {
metav1.TypeMeta
// Standard object metadata.
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// Specification of the desired behavior of the Deployment.
// +optional
spec?: DeploymentSpec @go(Spec) @protobuf(2,bytes,opt)
// Most recently observed status of the Deployment.
// +optional
status?: DeploymentStatus @go(Status) @protobuf(3,bytes,opt)
}
// DeploymentSpec is the specification of the desired behavior of the Deployment.
DeploymentSpec :: {
// Number of desired pods. This is a pointer to distinguish between explicit
// zero and not specified. Defaults to 1.
// +optional
replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
// Label selector for pods. Existing ReplicaSets whose pods are
// selected by this will be the ones affected by this deployment.
// +optional
selector?: null | metav1.LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
// Template describes the pods that will be created.
template: v1.PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
// The deployment strategy to use to replace existing pods with new ones.
// +optional
// +patchStrategy=retainKeys
strategy?: DeploymentStrategy @go(Strategy) @protobuf(4,bytes,opt)
// Minimum number of seconds for which a newly created pod should be ready
// without any of its container crashing, for it to be considered available.
// Defaults to 0 (pod will be considered available as soon as it is ready)
// +optional
minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(5,varint,opt)
// The number of old ReplicaSets to retain to allow rollback.
// This is a pointer to distinguish between explicit zero and not specified.
// This is set to the max value of int32 (i.e. 2147483647) by default, which
// means "retaining all old RelicaSets".
// +optional
revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
// Indicates that the deployment is paused and will not be processed by the
// deployment controller.
// +optional
paused?: bool @go(Paused) @protobuf(7,varint,opt)
// DEPRECATED.
// The config this deployment is rolling back to. Will be cleared after rollback is done.
// +optional
rollbackTo?: null | RollbackConfig @go(RollbackTo,*RollbackConfig) @protobuf(8,bytes,opt)
// The maximum time in seconds for a deployment to make progress before it
// is considered to be failed. The deployment controller will continue to
// process failed deployments and a condition with a ProgressDeadlineExceeded
// reason will be surfaced in the deployment status. Note that progress will
// not be estimated during the time a deployment is paused. This is set to
// the max value of int32 (i.e. 2147483647) by default, which means "no deadline".
// +optional
progressDeadlineSeconds?: null | int32 @go(ProgressDeadlineSeconds,*int32) @protobuf(9,varint,opt)
}
// DEPRECATED.
// DeploymentRollback stores the information required to rollback a deployment.
DeploymentRollback :: {
metav1.TypeMeta
// Required: This must match the Name of a deployment.
name: string @go(Name) @protobuf(1,bytes,opt)
// The annotations to be updated to a deployment
// +optional
updatedAnnotations?: {[string]: string} @go(UpdatedAnnotations,map[string]string) @protobuf(2,bytes,rep)
// The config of this deployment rollback.
rollbackTo: RollbackConfig @go(RollbackTo) @protobuf(3,bytes,opt)
}
// DEPRECATED.
RollbackConfig :: {
// The revision to rollback to. If set to 0, rollback to the last revision.
// +optional
revision?: int64 @go(Revision) @protobuf(1,varint,opt)
}
// DefaultDeploymentUniqueLabelKey is the default key of the selector that is added
// to existing RCs (and label key that is added to its pods) to prevent the existing RCs
// to select new pods (and old pods being select by new RC).
DefaultDeploymentUniqueLabelKey :: "pod-template-hash"
// DeploymentStrategy describes how to replace existing pods with new ones.
DeploymentStrategy :: {
// Type of deployment. Can be "Recreate" or "RollingUpdate". Default is RollingUpdate.
// +optional
type?: DeploymentStrategyType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentStrategyType)
// Rolling update config params. Present only if DeploymentStrategyType =
// RollingUpdate.
//---
// TODO: Update this to follow our convention for oneOf, whatever we decide it
// to be.
// +optional
rollingUpdate?: null | RollingUpdateDeployment @go(RollingUpdate,*RollingUpdateDeployment) @protobuf(2,bytes,opt)
}
DeploymentStrategyType :: string // enumDeploymentStrategyType
enumDeploymentStrategyType ::
RecreateDeploymentStrategyType |
RollingUpdateDeploymentStrategyType
// Kill all existing pods before creating new ones.
RecreateDeploymentStrategyType :: DeploymentStrategyType & "Recreate"
// Replace the old RCs by new one using rolling update i.e gradually scale down the old RCs and scale up the new one.
RollingUpdateDeploymentStrategyType :: DeploymentStrategyType & "RollingUpdate"
// Spec to control the desired behavior of rolling update.
RollingUpdateDeployment :: {
// The maximum number of pods that can be unavailable during the update.
// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
// Absolute number is calculated from percentage by rounding down.
// This can not be 0 if MaxSurge is 0.
// By default, a fixed value of 1 is used.
// Example: when this is set to 30%, the old RC can be scaled down to 70% of desired pods
// immediately when the rolling update starts. Once new pods are ready, old RC
// can be scaled down further, followed by scaling up the new RC, ensuring
// that the total number of pods available at all times during the update is at
// least 70% of desired pods.
// +optional
maxUnavailable?: null | intstr.IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
// The maximum number of pods that can be scheduled above the desired number of
// pods.
// Value can be an absolute number (ex: 5) or a percentage of desired pods (ex: 10%).
// This can not be 0 if MaxUnavailable is 0.
// Absolute number is calculated from percentage by rounding up.
// By default, a value of 1 is used.
// Example: when this is set to 30%, the new RC can be scaled up immediately when
// the rolling update starts, such that the total number of old and new pods do not exceed
// 130% of desired pods. Once old pods have been killed,
// new RC can be scaled up further, ensuring that total number of pods running
// at any time during the update is at most 130% of desired pods.
// +optional
maxSurge?: null | intstr.IntOrString @go(MaxSurge,*intstr.IntOrString) @protobuf(2,bytes,opt)
}
// DeploymentStatus is the most recently observed status of the Deployment.
DeploymentStatus :: {
// The generation observed by the deployment controller.
// +optional
observedGeneration?: int64 @go(ObservedGeneration) @protobuf(1,varint,opt)
// Total number of non-terminated pods targeted by this deployment (their labels match the selector).
// +optional
replicas?: int32 @go(Replicas) @protobuf(2,varint,opt)
// Total number of non-terminated pods targeted by this deployment that have the desired template spec.
// +optional
updatedReplicas?: int32 @go(UpdatedReplicas) @protobuf(3,varint,opt)
// Total number of ready pods targeted by this deployment.
// +optional
readyReplicas?: int32 @go(ReadyReplicas) @protobuf(7,varint,opt)
// Total number of available pods (ready for at least minReadySeconds) targeted by this deployment.
// +optional
availableReplicas?: int32 @go(AvailableReplicas) @protobuf(4,varint,opt)
// Total number of unavailable pods targeted by this deployment. This is the total number of
// pods that are still required for the deployment to have 100% available capacity. They may
// either be pods that are running but not yet available or pods that still have not been created.
// +optional
unavailableReplicas?: int32 @go(UnavailableReplicas) @protobuf(5,varint,opt)
// Represents the latest available observations of a deployment's current state.
// +patchMergeKey=type
// +patchStrategy=merge
conditions?: [...DeploymentCondition] @go(Conditions,[]DeploymentCondition) @protobuf(6,bytes,rep)
// Count of hash collisions for the Deployment. The Deployment controller uses this
// field as a collision avoidance mechanism when it needs to create the name for the
// newest ReplicaSet.
// +optional
collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(8,varint,opt)
}
DeploymentConditionType :: string // enumDeploymentConditionType
enumDeploymentConditionType ::
DeploymentAvailable |
DeploymentProgressing |
DeploymentReplicaFailure
// Available means the deployment is available, ie. at least the minimum available
// replicas required are up and running for at least minReadySeconds.
DeploymentAvailable :: DeploymentConditionType & "Available"
// Progressing means the deployment is progressing. Progress for a deployment is
// considered when a new replica set is created or adopted, and when new pods scale
// up or old pods scale down. Progress is not estimated for paused deployments or
// when progressDeadlineSeconds is not specified.
DeploymentProgressing :: DeploymentConditionType & "Progressing"
// ReplicaFailure is added in a deployment when one of its pods fails to be created
// or deleted.
DeploymentReplicaFailure :: DeploymentConditionType & "ReplicaFailure"
// DeploymentCondition describes the state of a deployment at a certain point.
DeploymentCondition :: {
// Type of deployment condition.
type: DeploymentConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DeploymentConditionType)
// Status of the condition, one of True, False, Unknown.
status: v1.ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
// The last time this condition was updated.
lastUpdateTime?: metav1.Time @go(LastUpdateTime) @protobuf(6,bytes,opt)
// Last time the condition transitioned from one status to another.
lastTransitionTime?: metav1.Time @go(LastTransitionTime) @protobuf(7,bytes,opt)
// The reason for the condition's last transition.
reason?: string @go(Reason) @protobuf(4,bytes,opt)
// A human readable message indicating details about the transition.
message?: string @go(Message) @protobuf(5,bytes,opt)
}
// DeploymentList is a list of Deployments.
DeploymentList :: {
metav1.TypeMeta
// Standard list metadata.
// +optional
metadata?: metav1.ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
// Items is the list of Deployments.
items: [...Deployment] @go(Items,[]Deployment) @protobuf(2,bytes,rep)
}
DaemonSetUpdateStrategy :: {
// Type of daemon set update. Can be "RollingUpdate" or "OnDelete".
// Default is OnDelete.
// +optional
type?: DaemonSetUpdateStrategyType @go(Type) @protobuf(1,bytes,opt)
// Rolling update config params. Present only if type = "RollingUpdate".
//---
// TODO: Update this to follow our convention for oneOf, whatever we decide it
// to be. Same as Deployment `strategy.rollingUpdate`.
// See https://github.com/kubernetes/kubernetes/issues/35345
// +optional
rollingUpdate?: null | RollingUpdateDaemonSet @go(RollingUpdate,*RollingUpdateDaemonSet) @protobuf(2,bytes,opt)
}
DaemonSetUpdateStrategyType :: string // enumDaemonSetUpdateStrategyType
enumDaemonSetUpdateStrategyType ::
RollingUpdateDaemonSetStrategyType |
OnDeleteDaemonSetStrategyType
// Replace the old daemons by new ones using rolling update i.e replace them on each node one after the other.
RollingUpdateDaemonSetStrategyType :: DaemonSetUpdateStrategyType & "RollingUpdate"
// Replace the old daemons only when it's killed
OnDeleteDaemonSetStrategyType :: DaemonSetUpdateStrategyType & "OnDelete"
// Spec to control the desired behavior of daemon set rolling update.
RollingUpdateDaemonSet :: {
// The maximum number of DaemonSet pods that can be unavailable during the
// update. Value can be an absolute number (ex: 5) or a percentage of total
// number of DaemonSet pods at the start of the update (ex: 10%). Absolute
// number is calculated from percentage by rounding up.
// This cannot be 0.
// Default value is 1.
// Example: when this is set to 30%, at most 30% of the total number of nodes
// that should be running the daemon pod (i.e. status.desiredNumberScheduled)
// can have their pods stopped for an update at any given
// time. The update starts by stopping at most 30% of those DaemonSet pods
// and then brings up new DaemonSet pods in their place. Once the new pods
// are available, it then proceeds onto other DaemonSet pods, thus ensuring
// that at least 70% of original number of DaemonSet pods are available at
// all times during the update.
// +optional
maxUnavailable?: null | intstr.IntOrString @go(MaxUnavailable,*intstr.IntOrString) @protobuf(1,bytes,opt)
}
// DaemonSetSpec is the specification of a daemon set.
DaemonSetSpec :: {
// A label query over pods that are managed by the daemon set.
// Must match in order to be controlled.
// If empty, defaulted to labels on Pod template.
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
// +optional
selector?: null | metav1.LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
// An object that describes the pod that will be created.
// The DaemonSet will create exactly one copy of this pod on every node
// that matches the template's node selector (or on every node if no node
// selector is specified).
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
template: v1.PodTemplateSpec @go(Template) @protobuf(2,bytes,opt)
// An update strategy to replace existing DaemonSet pods with new pods.
// +optional
updateStrategy?: DaemonSetUpdateStrategy @go(UpdateStrategy) @protobuf(3,bytes,opt)
// The minimum number of seconds for which a newly created DaemonSet pod should
// be ready without any of its container crashing, for it to be considered
// available. Defaults to 0 (pod will be considered available as soon as it
// is ready).
// +optional
minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
// DEPRECATED.
// A sequence number representing a specific generation of the template.
// Populated by the system. It can be set only during the creation.
// +optional
templateGeneration?: int64 @go(TemplateGeneration) @protobuf(5,varint,opt)
// The number of old history to retain to allow rollback.
// This is a pointer to distinguish between explicit zero and not specified.
// Defaults to 10.
// +optional
revisionHistoryLimit?: null | int32 @go(RevisionHistoryLimit,*int32) @protobuf(6,varint,opt)
}
// DaemonSetStatus represents the current status of a daemon set.
DaemonSetStatus :: {
// The number of nodes that are running at least 1
// daemon pod and are supposed to run the daemon pod.
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
currentNumberScheduled: int32 @go(CurrentNumberScheduled) @protobuf(1,varint,opt)
// The number of nodes that are running the daemon pod, but are
// not supposed to run the daemon pod.
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
numberMisscheduled: int32 @go(NumberMisscheduled) @protobuf(2,varint,opt)
// The total number of nodes that should be running the daemon
// pod (including nodes correctly running the daemon pod).
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/
desiredNumberScheduled: int32 @go(DesiredNumberScheduled) @protobuf(3,varint,opt)
// The number of nodes that should be running the daemon pod and have one
// or more of the daemon pod running and ready.
numberReady: int32 @go(NumberReady) @protobuf(4,varint,opt)
// The most recent generation observed by the daemon set controller.
// +optional
observedGeneration?: int64 @go(ObservedGeneration) @protobuf(5,varint,opt)
// The total number of nodes that are running updated daemon pod
// +optional
updatedNumberScheduled?: int32 @go(UpdatedNumberScheduled) @protobuf(6,varint,opt)
// The number of nodes that should be running the
// daemon pod and have one or more of the daemon pod running and
// available (ready for at least spec.minReadySeconds)
// +optional
numberAvailable?: int32 @go(NumberAvailable) @protobuf(7,varint,opt)
// The number of nodes that should be running the
// daemon pod and have none of the daemon pod running and available
// (ready for at least spec.minReadySeconds)
// +optional
numberUnavailable?: int32 @go(NumberUnavailable) @protobuf(8,varint,opt)
// Count of hash collisions for the DaemonSet. The DaemonSet controller
// uses this field as a collision avoidance mechanism when it needs to
// create the name for the newest ControllerRevision.
// +optional
collisionCount?: null | int32 @go(CollisionCount,*int32) @protobuf(9,varint,opt)
// Represents the latest available observations of a DaemonSet's current state.
// +optional
// +patchMergeKey=type
// +patchStrategy=merge
conditions?: [...DaemonSetCondition] @go(Conditions,[]DaemonSetCondition) @protobuf(10,bytes,rep)
}
DaemonSetConditionType :: string
// DaemonSetCondition describes the state of a DaemonSet at a certain point.
DaemonSetCondition :: {
// Type of DaemonSet condition.
type: DaemonSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=DaemonSetConditionType)
// Status of the condition, one of True, False, Unknown.
status: v1.ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
// Last time the condition transitioned from one status to another.
// +optional
lastTransitionTime?: metav1.Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
// The reason for the condition's last transition.
// +optional
reason?: string @go(Reason) @protobuf(4,bytes,opt)
// A human readable message indicating details about the transition.
// +optional
message?: string @go(Message) @protobuf(5,bytes,opt)
}
// DEPRECATED - This group version of DaemonSet is deprecated by apps/v1beta2/DaemonSet. See the release notes for
// more information.
// DaemonSet represents the configuration of a daemon set.
DaemonSet :: {
metav1.TypeMeta
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// The desired behavior of this daemon set.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
spec?: DaemonSetSpec @go(Spec) @protobuf(2,bytes,opt)
// The current status of this daemon set. This data may be
// out of date by some window of time.
// Populated by the system.
// Read-only.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
status?: DaemonSetStatus @go(Status) @protobuf(3,bytes,opt)
}
// DEPRECATED: DefaultDaemonSetUniqueLabelKey is used instead.
// DaemonSetTemplateGenerationKey is the key of the labels that is added
// to daemon set pods to distinguish between old and new pod templates
// during DaemonSet template update.
DaemonSetTemplateGenerationKey :: "pod-template-generation"
// DefaultDaemonSetUniqueLabelKey is the default label key that is added
// to existing DaemonSet pods to distinguish between old and new
// DaemonSet pods during DaemonSet template updates.
DefaultDaemonSetUniqueLabelKey :: "controller-revision-hash"
// DaemonSetList is a collection of daemon sets.
DaemonSetList :: {
metav1.TypeMeta
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
// A list of daemon sets.
items: [...DaemonSet] @go(Items,[]DaemonSet) @protobuf(2,bytes,rep)
}
// Ingress is a collection of rules that allow inbound connections to reach the
// endpoints defined by a backend. An Ingress can be configured to give services
// externally-reachable urls, load balance traffic, terminate SSL, offer name
// based virtual hosting etc.
// DEPRECATED - This group version of Ingress is deprecated by networking.k8s.io/v1beta1 Ingress. See the release notes for more information.
Ingress :: {
metav1.TypeMeta
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// Spec is the desired state of the Ingress.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
spec?: IngressSpec @go(Spec) @protobuf(2,bytes,opt)
// Status is the current state of the Ingress.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
status?: IngressStatus @go(Status) @protobuf(3,bytes,opt)
}
// IngressList is a collection of Ingress.
IngressList :: {
metav1.TypeMeta
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
// Items is the list of Ingress.
items: [...Ingress] @go(Items,[]Ingress) @protobuf(2,bytes,rep)
}
// IngressSpec describes the Ingress the user wishes to exist.
IngressSpec :: {
// A default backend capable of servicing requests that don't match any
// rule. At least one of 'backend' or 'rules' must be specified. This field
// is optional to allow the loadbalancer controller or defaulting logic to
// specify a global default.
// +optional
backend?: null | IngressBackend @go(Backend,*IngressBackend) @protobuf(1,bytes,opt)
// TLS configuration. Currently the Ingress only supports a single TLS
// port, 443. If multiple members of this list specify different hosts, they
// will be multiplexed on the same port according to the hostname specified
// through the SNI TLS extension, if the ingress controller fulfilling the
// ingress supports SNI.
// +optional
tls?: [...IngressTLS] @go(TLS,[]IngressTLS) @protobuf(2,bytes,rep)
// A list of host rules used to configure the Ingress. If unspecified, or
// no rule matches, all traffic is sent to the default backend.
// +optional
rules?: [...IngressRule] @go(Rules,[]IngressRule) @protobuf(3,bytes,rep)
}
// IngressTLS describes the transport layer security associated with an Ingress.
IngressTLS :: {
// Hosts are a list of hosts included in the TLS certificate. The values in
// this list must match the name/s used in the tlsSecret. Defaults to the
// wildcard host setting for the loadbalancer controller fulfilling this
// Ingress, if left unspecified.
// +optional
hosts?: [...string] @go(Hosts,[]string) @protobuf(1,bytes,rep)
// SecretName is the name of the secret used to terminate SSL traffic on 443.
// Field is left optional to allow SSL routing based on SNI hostname alone.
// If the SNI host in a listener conflicts with the "Host" header field used
// by an IngressRule, the SNI host is used for termination and value of the
// Host header is used for routing.
// +optional
secretName?: string @go(SecretName) @protobuf(2,bytes,opt)
}
// IngressStatus describe the current state of the Ingress.
IngressStatus :: {
// LoadBalancer contains the current status of the load-balancer.
// +optional
loadBalancer?: v1.LoadBalancerStatus @go(LoadBalancer) @protobuf(1,bytes,opt)
}
// IngressRule represents the rules mapping the paths under a specified host to
// the related backend services. Incoming requests are first evaluated for a host
// match, then routed to the backend associated with the matching IngressRuleValue.
IngressRule :: {
// Host is the fully qualified domain name of a network host, as defined
// by RFC 3986. Note the following deviations from the "host" part of the
// URI as defined in the RFC:
// 1. IPs are not allowed. Currently an IngressRuleValue can only apply to the
// IP in the Spec of the parent Ingress.
// 2. The `:` delimiter is not respected because ports are not allowed.
// Currently the port of an Ingress is implicitly :80 for http and
// :443 for https.
// Both these may change in the future.
// Incoming requests are matched against the host before the IngressRuleValue.
// If the host is unspecified, the Ingress routes all traffic based on the
// specified IngressRuleValue.
// +optional
host?: string @go(Host) @protobuf(1,bytes,opt)
IngressRuleValue
}
// IngressRuleValue represents a rule to apply against incoming requests. If the
// rule is satisfied, the request is routed to the specified backend. Currently
// mixing different types of rules in a single Ingress is disallowed, so exactly
// one of the following must be set.
IngressRuleValue :: {
// +optional
http?: null | HTTPIngressRuleValue @go(HTTP,*HTTPIngressRuleValue) @protobuf(1,bytes,opt)
}
// HTTPIngressRuleValue is a list of http selectors pointing to backends.
// In the example: http://<host>/<path>?<searchpart> -> backend where
// where parts of the url correspond to RFC 3986, this resource will be used
// to match against everything after the last '/' and before the first '?'
// or '#'.
HTTPIngressRuleValue :: {
// A collection of paths that map requests to backends.
paths: [...HTTPIngressPath] @go(Paths,[]HTTPIngressPath) @protobuf(1,bytes,rep)
}
// HTTPIngressPath associates a path regex with a backend. Incoming urls matching
// the path are forwarded to the backend.
HTTPIngressPath :: {
// Path is an extended POSIX regex as defined by IEEE Std 1003.1,
// (i.e this follows the egrep/unix syntax, not the perl syntax)
// matched against the path of an incoming request. Currently it can
// contain characters disallowed from the conventional "path"
// part of a URL as defined by RFC 3986. Paths must begin with
// a '/'. If unspecified, the path defaults to a catch all sending
// traffic to the backend.
// +optional
path?: string @go(Path) @protobuf(1,bytes,opt)
// Backend defines the referenced service endpoint to which the traffic
// will be forwarded to.
backend: IngressBackend @go(Backend) @protobuf(2,bytes,opt)
}
// IngressBackend describes all endpoints for a given service and port.
IngressBackend :: {
// Specifies the name of the referenced service.
serviceName: string @go(ServiceName) @protobuf(1,bytes,opt)
// Specifies the port of the referenced service.
servicePort: intstr.IntOrString @go(ServicePort) @protobuf(2,bytes,opt)
}
// DEPRECATED - This group version of ReplicaSet is deprecated by apps/v1beta2/ReplicaSet. See the release notes for
// more information.
// ReplicaSet ensures that a specified number of pod replicas are running at any given time.
ReplicaSet :: {
metav1.TypeMeta
// If the Labels of a ReplicaSet are empty, they are defaulted to
// be the same as the Pod(s) that the ReplicaSet manages.
// Standard object's metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// Spec defines the specification of the desired behavior of the ReplicaSet.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
spec?: ReplicaSetSpec @go(Spec) @protobuf(2,bytes,opt)
// Status is the most recently observed status of the ReplicaSet.
// This data may be out of date by some window of time.
// Populated by the system.
// Read-only.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
// +optional
status?: ReplicaSetStatus @go(Status) @protobuf(3,bytes,opt)
}
// ReplicaSetList is a collection of ReplicaSets.
ReplicaSetList :: {
metav1.TypeMeta
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
// +optional
metadata?: metav1.ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
// List of ReplicaSets.
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller
items: [...ReplicaSet] @go(Items,[]ReplicaSet) @protobuf(2,bytes,rep)
}
// ReplicaSetSpec is the specification of a ReplicaSet.
ReplicaSetSpec :: {
// Replicas is the number of desired replicas.
// This is a pointer to distinguish between explicit zero and unspecified.
// Defaults to 1.
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
// +optional
replicas?: null | int32 @go(Replicas,*int32) @protobuf(1,varint,opt)
// Minimum number of seconds for which a newly created pod should be ready
// without any of its container crashing, for it to be considered available.
// Defaults to 0 (pod will be considered available as soon as it is ready)
// +optional
minReadySeconds?: int32 @go(MinReadySeconds) @protobuf(4,varint,opt)
// Selector is a label query over pods that should match the replica count.
// If the selector is empty, it is defaulted to the labels present on the pod template.
// Label keys and values that must match in order to be controlled by this replica set.
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
// +optional
selector?: null | metav1.LabelSelector @go(Selector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
// Template is the object that describes the pod that will be created if
// insufficient replicas are detected.
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller#pod-template
// +optional
template?: v1.PodTemplateSpec @go(Template) @protobuf(3,bytes,opt)
}
// ReplicaSetStatus represents the current status of a ReplicaSet.
ReplicaSetStatus :: {
// Replicas is the most recently oberved number of replicas.
// More info: https://kubernetes.io/docs/concepts/workloads/controllers/replicationcontroller/#what-is-a-replicationcontroller
replicas: int32 @go(Replicas) @protobuf(1,varint,opt)
// The number of pods that have labels matching the labels of the pod template of the replicaset.
// +optional
fullyLabeledReplicas?: int32 @go(FullyLabeledReplicas) @protobuf(2,varint,opt)
// The number of ready replicas for this replica set.
// +optional
readyReplicas?: int32 @go(ReadyReplicas) @protobuf(4,varint,opt)
// The number of available replicas (ready for at least minReadySeconds) for this replica set.
// +optional
availableReplicas?: int32 @go(AvailableReplicas) @protobuf(5,varint,opt)
// ObservedGeneration reflects the generation of the most recently observed ReplicaSet.
// +optional
observedGeneration?: int64 @go(ObservedGeneration) @protobuf(3,varint,opt)
// Represents the latest available observations of a replica set's current state.
// +optional
// +patchMergeKey=type
// +patchStrategy=merge
conditions?: [...ReplicaSetCondition] @go(Conditions,[]ReplicaSetCondition) @protobuf(6,bytes,rep)
}
ReplicaSetConditionType :: string // enumReplicaSetConditionType
enumReplicaSetConditionType ::
ReplicaSetReplicaFailure
// ReplicaSetReplicaFailure is added in a replica set when one of its pods fails to be created
// due to insufficient quota, limit ranges, pod security policy, node selectors, etc. or deleted
// due to kubelet being down or finalizers are failing.
ReplicaSetReplicaFailure :: ReplicaSetConditionType & "ReplicaFailure"
// ReplicaSetCondition describes the state of a replica set at a certain point.
ReplicaSetCondition :: {
// Type of replica set condition.
type: ReplicaSetConditionType @go(Type) @protobuf(1,bytes,opt,casttype=ReplicaSetConditionType)
// Status of the condition, one of True, False, Unknown.
status: v1.ConditionStatus @go(Status) @protobuf(2,bytes,opt,casttype=k8s.io/api/core/v1.ConditionStatus)
// The last time the condition transitioned from one status to another.
// +optional
lastTransitionTime?: metav1.Time @go(LastTransitionTime) @protobuf(3,bytes,opt)
// The reason for the condition's last transition.
// +optional
reason?: string @go(Reason) @protobuf(4,bytes,opt)
// A human readable message indicating details about the transition.
// +optional
message?: string @go(Message) @protobuf(5,bytes,opt)
}
// PodSecurityPolicy governs the ability to make requests that affect the Security Context
// that will be applied to a pod and container.
// Deprecated: use PodSecurityPolicy from policy API Group instead.
PodSecurityPolicy :: {
metav1.TypeMeta
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// spec defines the policy enforced.
// +optional
spec?: PodSecurityPolicySpec @go(Spec) @protobuf(2,bytes,opt)
}
// PodSecurityPolicySpec defines the policy enforced.
// Deprecated: use PodSecurityPolicySpec from policy API Group instead.
PodSecurityPolicySpec :: {
// privileged determines if a pod can request to be run as privileged.
// +optional
privileged?: bool @go(Privileged) @protobuf(1,varint,opt)
// defaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capability in both
// defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly
// allowed, and need not be included in the allowedCapabilities list.
// +optional
defaultAddCapabilities?: [...v1.Capability] @go(DefaultAddCapabilities,[]v1.Capability) @protobuf(2,bytes,rep,casttype=k8s.io/api/core/v1.Capability)
// requiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +optional
requiredDropCapabilities?: [...v1.Capability] @go(RequiredDropCapabilities,[]v1.Capability) @protobuf(3,bytes,rep,casttype=k8s.io/api/core/v1.Capability)
// allowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field may be added at the pod author's discretion.
// You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
// +optional
allowedCapabilities?: [...v1.Capability] @go(AllowedCapabilities,[]v1.Capability) @protobuf(4,bytes,rep,casttype=k8s.io/api/core/v1.Capability)
// volumes is a white list of allowed volume plugins. Empty indicates that
// no volumes may be used. To allow all volumes you may use '*'.
// +optional
volumes?: [...FSType] @go(Volumes,[]FSType) @protobuf(5,bytes,rep,casttype=FSType)
// hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
// +optional
hostNetwork?: bool @go(HostNetwork) @protobuf(6,varint,opt)
// hostPorts determines which host port ranges are allowed to be exposed.
// +optional
hostPorts?: [...HostPortRange] @go(HostPorts,[]HostPortRange) @protobuf(7,bytes,rep)
// hostPID determines if the policy allows the use of HostPID in the pod spec.
// +optional
hostPID?: bool @go(HostPID) @protobuf(8,varint,opt)
// hostIPC determines if the policy allows the use of HostIPC in the pod spec.
// +optional
hostIPC?: bool @go(HostIPC) @protobuf(9,varint,opt)
// seLinux is the strategy that will dictate the allowable labels that may be set.
seLinux: SELinuxStrategyOptions @go(SELinux) @protobuf(10,bytes,opt)
// runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
runAsUser: RunAsUserStrategyOptions @go(RunAsUser) @protobuf(11,bytes,opt)
// RunAsGroup is the strategy that will dictate the allowable RunAsGroup values that may be set.
// If this field is omitted, the pod's RunAsGroup can take any value. This field requires the
// RunAsGroup feature gate to be enabled.
// +optional
runAsGroup?: null | RunAsGroupStrategyOptions @go(RunAsGroup,*RunAsGroupStrategyOptions) @protobuf(22,bytes,opt)
// supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
supplementalGroups: SupplementalGroupsStrategyOptions @go(SupplementalGroups) @protobuf(12,bytes,opt)
// fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
fsGroup: FSGroupStrategyOptions @go(FSGroup) @protobuf(13,bytes,opt)
// readOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the PSP should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
// +optional
readOnlyRootFilesystem?: bool @go(ReadOnlyRootFilesystem) @protobuf(14,varint,opt)
// defaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
defaultAllowPrivilegeEscalation?: null | bool @go(DefaultAllowPrivilegeEscalation,*bool) @protobuf(15,varint,opt)
// allowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
allowPrivilegeEscalation?: null | bool @go(AllowPrivilegeEscalation,*bool) @protobuf(16,varint,opt)
// allowedHostPaths is a white list of allowed host paths. Empty indicates
// that all host paths may be used.
// +optional
allowedHostPaths?: [...AllowedHostPath] @go(AllowedHostPaths,[]AllowedHostPath) @protobuf(17,bytes,rep)
// allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "volumes" field.
// +optional
allowedFlexVolumes?: [...AllowedFlexVolume] @go(AllowedFlexVolumes,[]AllowedFlexVolume) @protobuf(18,bytes,rep)
// AllowedCSIDrivers is a whitelist of inline CSI drivers that must be explicitly set to be embedded within a pod spec.
// An empty value indicates that any CSI driver can be used for inline ephemeral volumes.
// +optional
allowedCSIDrivers?: [...AllowedCSIDriver] @go(AllowedCSIDrivers,[]AllowedCSIDriver) @protobuf(23,bytes,rep)
// allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
allowedUnsafeSysctls?: [...string] @go(AllowedUnsafeSysctls,[]string) @protobuf(19,bytes,rep)
// forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
forbiddenSysctls?: [...string] @go(ForbiddenSysctls,[]string) @protobuf(20,bytes,rep)
// AllowedProcMountTypes is a whitelist of allowed ProcMountTypes.
// Empty or nil indicates that only the DefaultProcMountType may be used.
// This requires the ProcMountType feature flag to be enabled.
// +optional
allowedProcMountTypes?: [...v1.ProcMountType] @go(AllowedProcMountTypes,[]v1.ProcMountType) @protobuf(21,bytes,opt)
// runtimeClass is the strategy that will dictate the allowable RuntimeClasses for a pod.
// If this field is omitted, the pod's runtimeClassName field is unrestricted.
// Enforcement of this field depends on the RuntimeClass feature gate being enabled.
// +optional
runtimeClass?: null | RuntimeClassStrategyOptions @go(RuntimeClass,*RuntimeClassStrategyOptions) @protobuf(24,bytes,opt)
}
// AllowedHostPath defines the host volume conditions that will be enabled by a policy
// for pods to use. It requires the path prefix to be defined.
// Deprecated: use AllowedHostPath from policy API Group instead.
AllowedHostPath :: {
// pathPrefix is the path prefix that the host volume must match.
// It does not support `*`.
// Trailing slashes are trimmed when validating the path prefix with a host path.
//
// Examples:
// `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
// `/foo` would not allow `/food` or `/etc/foo`
pathPrefix?: string @go(PathPrefix) @protobuf(1,bytes,rep)
// when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
// +optional
readOnly?: bool @go(ReadOnly) @protobuf(2,varint,opt)
}
// FSType gives strong typing to different file systems that are used by volumes.
// Deprecated: use FSType from policy API Group instead.
FSType :: string // enumFSType
enumFSType ::
AzureFile |
Flocker |
FlexVolume |
HostPath |
EmptyDir |
GCEPersistentDisk |
AWSElasticBlockStore |
GitRepo |
Secret |
NFS |
ISCSI |
Glusterfs |
PersistentVolumeClaim |
RBD |
Cinder |
CephFS |
DownwardAPI |
FC |
ConfigMap |
Quobyte |
AzureDisk |
CSI |
All
AzureFile :: FSType & "azureFile"
Flocker :: FSType & "flocker"
FlexVolume :: FSType & "flexVolume"
HostPath :: FSType & "hostPath"
EmptyDir :: FSType & "emptyDir"
GCEPersistentDisk :: FSType & "gcePersistentDisk"
AWSElasticBlockStore :: FSType & "awsElasticBlockStore"
GitRepo :: FSType & "gitRepo"
Secret :: FSType & "secret"
NFS :: FSType & "nfs"
ISCSI :: FSType & "iscsi"
Glusterfs :: FSType & "glusterfs"
PersistentVolumeClaim :: FSType & "persistentVolumeClaim"
RBD :: FSType & "rbd"
Cinder :: FSType & "cinder"
CephFS :: FSType & "cephFS"
DownwardAPI :: FSType & "downwardAPI"
FC :: FSType & "fc"
ConfigMap :: FSType & "configMap"
Quobyte :: FSType & "quobyte"
AzureDisk :: FSType & "azureDisk"
CSI :: FSType & "csi"
All :: FSType & "*"
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
// Deprecated: use AllowedFlexVolume from policy API Group instead.
AllowedFlexVolume :: {
// driver is the name of the Flexvolume driver.
driver: string @go(Driver) @protobuf(1,bytes,opt)
}
// AllowedCSIDriver represents a single inline CSI Driver that is allowed to be used.
AllowedCSIDriver :: {
// Name is the registered name of the CSI driver
name: string @go(Name) @protobuf(1,bytes,opt)
}
// HostPortRange defines a range of host ports that will be enabled by a policy
// for pods to use. It requires both the start and end to be defined.
// Deprecated: use HostPortRange from policy API Group instead.
HostPortRange :: {
// min is the start of the range, inclusive.
min: int32 @go(Min) @protobuf(1,varint,opt)
// max is the end of the range, inclusive.
max: int32 @go(Max) @protobuf(2,varint,opt)
}
// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
// Deprecated: use SELinuxStrategyOptions from policy API Group instead.
SELinuxStrategyOptions :: {
// rule is the strategy that will dictate the allowable labels that may be set.
rule: SELinuxStrategy @go(Rule) @protobuf(1,bytes,opt,casttype=SELinuxStrategy)
// seLinuxOptions required to run as; required for MustRunAs
// More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
// +optional
seLinuxOptions?: null | v1.SELinuxOptions @go(SELinuxOptions,*v1.SELinuxOptions) @protobuf(2,bytes,opt)
}
// SELinuxStrategy denotes strategy types for generating SELinux options for a
// Security Context.
// Deprecated: use SELinuxStrategy from policy API Group instead.
SELinuxStrategy :: string // enumSELinuxStrategy
enumSELinuxStrategy ::
SELinuxStrategyMustRunAs |
SELinuxStrategyRunAsAny
// SELinuxStrategyMustRunAs means that container must have SELinux labels of X applied.
// Deprecated: use SELinuxStrategyMustRunAs from policy API Group instead.
SELinuxStrategyMustRunAs :: SELinuxStrategy & "MustRunAs"
// SELinuxStrategyRunAsAny means that container may make requests for any SELinux context labels.
// Deprecated: use SELinuxStrategyRunAsAny from policy API Group instead.
SELinuxStrategyRunAsAny :: SELinuxStrategy & "RunAsAny"
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
// Deprecated: use RunAsUserStrategyOptions from policy API Group instead.
RunAsUserStrategyOptions :: {
// rule is the strategy that will dictate the allowable RunAsUser values that may be set.
rule: RunAsUserStrategy @go(Rule) @protobuf(1,bytes,opt,casttype=RunAsUserStrategy)
// ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
// then supply a single range with the same start and end. Required for MustRunAs.
// +optional
ranges?: [...IDRange] @go(Ranges,[]IDRange) @protobuf(2,bytes,rep)
}
// RunAsGroupStrategyOptions defines the strategy type and any options used to create the strategy.
// Deprecated: use RunAsGroupStrategyOptions from policy API Group instead.
RunAsGroupStrategyOptions :: {
// rule is the strategy that will dictate the allowable RunAsGroup values that may be set.
rule: RunAsGroupStrategy @go(Rule) @protobuf(1,bytes,opt,casttype=RunAsGroupStrategy)
// ranges are the allowed ranges of gids that may be used. If you would like to force a single gid
// then supply a single range with the same start and end. Required for MustRunAs.
// +optional
ranges?: [...IDRange] @go(Ranges,[]IDRange) @protobuf(2,bytes,rep)
}
// IDRange provides a min/max of an allowed range of IDs.
// Deprecated: use IDRange from policy API Group instead.
IDRange :: {
// min is the start of the range, inclusive.
min: int64 @go(Min) @protobuf(1,varint,opt)
// max is the end of the range, inclusive.
max: int64 @go(Max) @protobuf(2,varint,opt)
}
// RunAsUserStrategy denotes strategy types for generating RunAsUser values for a
// Security Context.
// Deprecated: use RunAsUserStrategy from policy API Group instead.
RunAsUserStrategy :: string // enumRunAsUserStrategy
enumRunAsUserStrategy ::
RunAsUserStrategyMustRunAs |
RunAsUserStrategyMustRunAsNonRoot |
RunAsUserStrategyRunAsAny
// RunAsUserStrategyMustRunAs means that container must run as a particular uid.
// Deprecated: use RunAsUserStrategyMustRunAs from policy API Group instead.
RunAsUserStrategyMustRunAs :: RunAsUserStrategy & "MustRunAs"
// RunAsUserStrategyMustRunAsNonRoot means that container must run as a non-root uid.
// Deprecated: use RunAsUserStrategyMustRunAsNonRoot from policy API Group instead.
RunAsUserStrategyMustRunAsNonRoot :: RunAsUserStrategy & "MustRunAsNonRoot"
// RunAsUserStrategyRunAsAny means that container may make requests for any uid.
// Deprecated: use RunAsUserStrategyRunAsAny from policy API Group instead.
RunAsUserStrategyRunAsAny :: RunAsUserStrategy & "RunAsAny"
// RunAsGroupStrategy denotes strategy types for generating RunAsGroup values for a
// Security Context.
// Deprecated: use RunAsGroupStrategy from policy API Group instead.
RunAsGroupStrategy :: string // enumRunAsGroupStrategy
enumRunAsGroupStrategy ::
RunAsGroupStrategyMayRunAs |
RunAsGroupStrategyMustRunAs |
RunAsGroupStrategyRunAsAny
// RunAsGroupStrategyMayRunAs means that container does not need to run with a particular gid.
// However, when RunAsGroup are specified, they have to fall in the defined range.
RunAsGroupStrategyMayRunAs :: RunAsGroupStrategy & "MayRunAs"
// RunAsGroupStrategyMustRunAs means that container must run as a particular gid.
// Deprecated: use RunAsGroupStrategyMustRunAs from policy API Group instead.
RunAsGroupStrategyMustRunAs :: RunAsGroupStrategy & "MustRunAs"
// RunAsGroupStrategyRunAsAny means that container may make requests for any gid.
// Deprecated: use RunAsGroupStrategyRunAsAny from policy API Group instead.
RunAsGroupStrategyRunAsAny :: RunAsGroupStrategy & "RunAsAny"
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
// Deprecated: use FSGroupStrategyOptions from policy API Group instead.
FSGroupStrategyOptions :: {
// rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
// +optional
rule?: FSGroupStrategyType @go(Rule) @protobuf(1,bytes,opt,casttype=FSGroupStrategyType)
// ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
ranges?: [...IDRange] @go(Ranges,[]IDRange) @protobuf(2,bytes,rep)
}
// FSGroupStrategyType denotes strategy types for generating FSGroup values for a
// SecurityContext
// Deprecated: use FSGroupStrategyType from policy API Group instead.
FSGroupStrategyType :: string // enumFSGroupStrategyType
enumFSGroupStrategyType ::
FSGroupStrategyMustRunAs |
FSGroupStrategyRunAsAny
// FSGroupStrategyMustRunAs meant that container must have FSGroup of X applied.
// Deprecated: use FSGroupStrategyMustRunAs from policy API Group instead.
FSGroupStrategyMustRunAs :: FSGroupStrategyType & "MustRunAs"
// FSGroupStrategyRunAsAny means that container may make requests for any FSGroup labels.
// Deprecated: use FSGroupStrategyRunAsAny from policy API Group instead.
FSGroupStrategyRunAsAny :: FSGroupStrategyType & "RunAsAny"
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
// Deprecated: use SupplementalGroupsStrategyOptions from policy API Group instead.
SupplementalGroupsStrategyOptions :: {
// rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
// +optional
rule?: SupplementalGroupsStrategyType @go(Rule) @protobuf(1,bytes,opt,casttype=SupplementalGroupsStrategyType)
// ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end. Required for MustRunAs.
// +optional
ranges?: [...IDRange] @go(Ranges,[]IDRange) @protobuf(2,bytes,rep)
}
// SupplementalGroupsStrategyType denotes strategy types for determining valid supplemental
// groups for a SecurityContext.
// Deprecated: use SupplementalGroupsStrategyType from policy API Group instead.
SupplementalGroupsStrategyType :: string // enumSupplementalGroupsStrategyType
enumSupplementalGroupsStrategyType ::
SupplementalGroupsStrategyMustRunAs |
SupplementalGroupsStrategyRunAsAny
// SupplementalGroupsStrategyMustRunAs means that container must run as a particular gid.
// Deprecated: use SupplementalGroupsStrategyMustRunAs from policy API Group instead.
SupplementalGroupsStrategyMustRunAs :: SupplementalGroupsStrategyType & "MustRunAs"
// SupplementalGroupsStrategyRunAsAny means that container may make requests for any gid.
// Deprecated: use SupplementalGroupsStrategyRunAsAny from policy API Group instead.
SupplementalGroupsStrategyRunAsAny :: SupplementalGroupsStrategyType & "RunAsAny"
// RuntimeClassStrategyOptions define the strategy that will dictate the allowable RuntimeClasses
// for a pod.
RuntimeClassStrategyOptions :: {
// allowedRuntimeClassNames is a whitelist of RuntimeClass names that may be specified on a pod.
// A value of "*" means that any RuntimeClass name is allowed, and must be the only item in the
// list. An empty list requires the RuntimeClassName field to be unset.
allowedRuntimeClassNames: [...string] @go(AllowedRuntimeClassNames,[]string) @protobuf(1,bytes,rep)
// defaultRuntimeClassName is the default RuntimeClassName to set on the pod.
// The default MUST be allowed by the allowedRuntimeClassNames list.
// A value of nil does not mutate the Pod.
// +optional
defaultRuntimeClassName?: null | string @go(DefaultRuntimeClassName,*string) @protobuf(2,bytes,opt)
}
AllowAllRuntimeClassNames :: "*"
// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
// Deprecated: use PodSecurityPolicyList from policy API Group instead.
PodSecurityPolicyList :: {
metav1.TypeMeta
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
// items is a list of schema objects.
items: [...PodSecurityPolicy] @go(Items,[]PodSecurityPolicy) @protobuf(2,bytes,rep)
}
// DEPRECATED 1.9 - This group version of NetworkPolicy is deprecated by networking/v1/NetworkPolicy.
// NetworkPolicy describes what network traffic is allowed for a set of Pods
NetworkPolicy :: {
metav1.TypeMeta
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ObjectMeta @go(ObjectMeta) @protobuf(1,bytes,opt)
// Specification of the desired behavior for this NetworkPolicy.
// +optional
spec?: NetworkPolicySpec @go(Spec) @protobuf(2,bytes,opt)
}
// DEPRECATED 1.9 - This group version of PolicyType is deprecated by networking/v1/PolicyType.
// Policy Type string describes the NetworkPolicy type
// This type is beta-level in 1.8
PolicyType :: string // enumPolicyType
enumPolicyType ::
PolicyTypeIngress |
PolicyTypeEgress
// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
PolicyTypeIngress :: PolicyType & "Ingress"
// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
PolicyTypeEgress :: PolicyType & "Egress"
// DEPRECATED 1.9 - This group version of NetworkPolicySpec is deprecated by networking/v1/NetworkPolicySpec.
NetworkPolicySpec :: {
// Selects the pods to which this NetworkPolicy object applies. The array of ingress rules
// is applied to any pods selected by this field. Multiple network policies can select the
// same set of pods. In this case, the ingress rules for each are combined additively.
// This field is NOT optional and follows standard label selector semantics.
// An empty podSelector matches all pods in this namespace.
podSelector: metav1.LabelSelector @go(PodSelector) @protobuf(1,bytes,opt)
// List of ingress rules to be applied to the selected pods.
// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
// OR if the traffic source is the pod's local node,
// OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
// objects whose podSelector matches the pod.
// If this field is empty then this NetworkPolicy does not allow any traffic
// (and serves solely to ensure that the pods it selects are isolated by default).
// +optional
ingress?: [...NetworkPolicyIngressRule] @go(Ingress,[]NetworkPolicyIngressRule) @protobuf(2,bytes,rep)
// List of egress rules to be applied to the selected pods. Outgoing traffic is
// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
// otherwise allows the traffic), OR if the traffic matches at least one egress rule
// across all of the NetworkPolicy objects whose podSelector matches the pod. If
// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
// solely to ensure that the pods it selects are isolated by default).
// This field is beta-level in 1.8
// +optional
egress?: [...NetworkPolicyEgressRule] @go(Egress,[]NetworkPolicyEgressRule) @protobuf(3,bytes,rep)
// List of rule types that the NetworkPolicy relates to.
// Valid options are "Ingress", "Egress", or "Ingress,Egress".
// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
// policies that contain an Egress section are assumed to affect Egress, and all policies
// (whether or not they contain an Ingress section) are assumed to affect Ingress.
// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
// Likewise, if you want to write a policy that specifies that no egress is allowed,
// you must specify a policyTypes value that include "Egress" (since such a policy would not include
// an Egress section and would otherwise default to just [ "Ingress" ]).
// This field is beta-level in 1.8
// +optional
policyTypes?: [...PolicyType] @go(PolicyTypes,[]PolicyType) @protobuf(4,bytes,rep,casttype=PolicyType)
}
// DEPRECATED 1.9 - This group version of NetworkPolicyIngressRule is deprecated by networking/v1/NetworkPolicyIngressRule.
// This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
NetworkPolicyIngressRule :: {
// List of ports which should be made accessible on the pods selected for this rule.
// Each item in this list is combined using a logical OR.
// If this field is empty or missing, this rule matches all ports (traffic not restricted by port).
// If this field is present and contains at least one item, then this rule allows traffic
// only if the traffic matches at least one port in the list.
// +optional
ports?: [...NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
// List of sources which should be able to access the pods selected for this rule.
// Items in this list are combined using a logical OR operation.
// If this field is empty or missing, this rule matches all sources (traffic not restricted by source).
// If this field is present and contains at least one item, this rule allows traffic only if the
// traffic matches at least one item in the from list.
// +optional
from?: [...NetworkPolicyPeer] @go(From,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
}
// DEPRECATED 1.9 - This group version of NetworkPolicyEgressRule is deprecated by networking/v1/NetworkPolicyEgressRule.
// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
// This type is beta-level in 1.8
NetworkPolicyEgressRule :: {
// List of destination ports for outgoing traffic.
// Each item in this list is combined using a logical OR. If this field is
// empty or missing, this rule matches all ports (traffic not restricted by port).
// If this field is present and contains at least one item, then this rule allows
// traffic only if the traffic matches at least one port in the list.
// +optional
ports?: [...NetworkPolicyPort] @go(Ports,[]NetworkPolicyPort) @protobuf(1,bytes,rep)
// List of destinations for outgoing traffic of pods selected for this rule.
// Items in this list are combined using a logical OR operation. If this field is
// empty or missing, this rule matches all destinations (traffic not restricted by
// destination). If this field is present and contains at least one item, this rule
// allows traffic only if the traffic matches at least one item in the to list.
// +optional
to?: [...NetworkPolicyPeer] @go(To,[]NetworkPolicyPeer) @protobuf(2,bytes,rep)
}
// DEPRECATED 1.9 - This group version of NetworkPolicyPort is deprecated by networking/v1/NetworkPolicyPort.
NetworkPolicyPort :: {
// Optional. The protocol (TCP, UDP, or SCTP) which traffic must match.
// If not specified, this field defaults to TCP.
// +optional
protocol?: null | v1.Protocol @go(Protocol,*v1.Protocol) @protobuf(1,bytes,opt,casttype=k8s.io/api/core/v1.Protocol)
// If specified, the port on the given protocol. This can
// either be a numerical or named port on a pod. If this field is not provided,
// this matches all port names and numbers.
// If present, only traffic on the specified protocol AND port
// will be matched.
// +optional
port?: null | intstr.IntOrString @go(Port,*intstr.IntOrString) @protobuf(2,bytes,opt)
}
// DEPRECATED 1.9 - This group version of IPBlock is deprecated by networking/v1/IPBlock.
// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
// not be included within this rule.
IPBlock :: {
// CIDR is a string representing the IP Block
// Valid examples are "192.168.1.1/24"
cidr: string @go(CIDR) @protobuf(1,bytes)
// Except is a slice of CIDRs that should not be included within an IP Block
// Valid examples are "192.168.1.1/24"
// Except values will be rejected if they are outside the CIDR range
// +optional
except?: [...string] @go(Except,[]string) @protobuf(2,bytes,rep)
}
// DEPRECATED 1.9 - This group version of NetworkPolicyPeer is deprecated by networking/v1/NetworkPolicyPeer.
NetworkPolicyPeer :: {
// This is a label selector which selects Pods. This field follows standard label
// selector semantics; if present but empty, it selects all pods.
//
// If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
// Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
// +optional
podSelector?: null | metav1.LabelSelector @go(PodSelector,*metav1.LabelSelector) @protobuf(1,bytes,opt)
// Selects Namespaces using cluster-scoped labels. This field follows standard label
// selector semantics; if present but empty, it selects all namespaces.
//
// If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
// Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
// +optional
namespaceSelector?: null | metav1.LabelSelector @go(NamespaceSelector,*metav1.LabelSelector) @protobuf(2,bytes,opt)
// IPBlock defines policy on a particular IPBlock. If this field is set then
// neither of the other fields can be.
// +optional
ipBlock?: null | IPBlock @go(IPBlock,*IPBlock) @protobuf(3,bytes,rep)
}
// DEPRECATED 1.9 - This group version of NetworkPolicyList is deprecated by networking/v1/NetworkPolicyList.
// Network Policy List is a list of NetworkPolicy objects.
NetworkPolicyList :: {
metav1.TypeMeta
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
// +optional
metadata?: metav1.ListMeta @go(ListMeta) @protobuf(1,bytes,opt)
// Items is a list of schema objects.
items: [...NetworkPolicy] @go(Items,[]NetworkPolicy) @protobuf(2,bytes,rep)
}