2021-12-08 13:50:47 +00:00
|
|
|
/*
|
|
|
|
Copyright The Kubernetes Authors.
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
|
|
|
|
syntax = "proto2";
|
|
|
|
|
|
|
|
package k8s.io.api.flowcontrol.v1beta2;
|
|
|
|
|
|
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
|
|
|
|
// Package-wide variables from generator "generated".
|
2022-05-05 02:47:06 +00:00
|
|
|
option go_package = "k8s.io/api/flowcontrol/v1beta2";
|
2021-12-08 13:50:47 +00:00
|
|
|
|
|
|
|
// FlowDistinguisherMethod specifies the method of a flow distinguisher.
|
|
|
|
message FlowDistinguisherMethod {
|
|
|
|
// `type` is the type of flow distinguisher method
|
|
|
|
// The supported types are "ByUser" and "ByNamespace".
|
|
|
|
// Required.
|
|
|
|
optional string type = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// FlowSchema defines the schema of a group of flows. Note that a flow is made up of a set of inbound API requests with
|
|
|
|
// similar attributes and is identified by a pair of strings: the name of the FlowSchema and a "flow distinguisher".
|
|
|
|
message FlowSchema {
|
|
|
|
// `metadata` is the standard object's metadata.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
|
|
|
|
// `spec` is the specification of the desired behavior of a FlowSchema.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
// +optional
|
|
|
|
optional FlowSchemaSpec spec = 2;
|
|
|
|
|
|
|
|
// `status` is the current status of a FlowSchema.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
// +optional
|
|
|
|
optional FlowSchemaStatus status = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// FlowSchemaCondition describes conditions for a FlowSchema.
|
|
|
|
message FlowSchemaCondition {
|
|
|
|
// `type` is the type of the condition.
|
|
|
|
// Required.
|
|
|
|
optional string type = 1;
|
|
|
|
|
|
|
|
// `status` is the status of the condition.
|
|
|
|
// Can be True, False, Unknown.
|
|
|
|
// Required.
|
|
|
|
optional string status = 2;
|
|
|
|
|
|
|
|
// `lastTransitionTime` is the last time the condition transitioned from one status to another.
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
|
|
|
|
|
|
|
|
// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
|
|
|
|
optional string reason = 4;
|
|
|
|
|
|
|
|
// `message` is a human-readable message indicating details about last transition.
|
|
|
|
optional string message = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// FlowSchemaList is a list of FlowSchema objects.
|
|
|
|
message FlowSchemaList {
|
|
|
|
// `metadata` is the standard list metadata.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
|
|
|
|
// `items` is a list of FlowSchemas.
|
|
|
|
repeated FlowSchema items = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// FlowSchemaSpec describes how the FlowSchema's specification looks like.
|
|
|
|
message FlowSchemaSpec {
|
|
|
|
// `priorityLevelConfiguration` should reference a PriorityLevelConfiguration in the cluster. If the reference cannot
|
|
|
|
// be resolved, the FlowSchema will be ignored and marked as invalid in its status.
|
|
|
|
// Required.
|
|
|
|
optional PriorityLevelConfigurationReference priorityLevelConfiguration = 1;
|
|
|
|
|
|
|
|
// `matchingPrecedence` is used to choose among the FlowSchemas that match a given request. The chosen
|
|
|
|
// FlowSchema is among those with the numerically lowest (which we take to be logically highest)
|
|
|
|
// MatchingPrecedence. Each MatchingPrecedence value must be ranged in [1,10000].
|
|
|
|
// Note that if the precedence is not specified, it will be set to 1000 as default.
|
|
|
|
// +optional
|
|
|
|
optional int32 matchingPrecedence = 2;
|
|
|
|
|
|
|
|
// `distinguisherMethod` defines how to compute the flow distinguisher for requests that match this schema.
|
|
|
|
// `nil` specifies that the distinguisher is disabled and thus will always be the empty string.
|
|
|
|
// +optional
|
|
|
|
optional FlowDistinguisherMethod distinguisherMethod = 3;
|
|
|
|
|
|
|
|
// `rules` describes which requests will match this flow schema. This FlowSchema matches a request if and only if
|
|
|
|
// at least one member of rules matches the request.
|
|
|
|
// if it is an empty slice, there will be no requests matching the FlowSchema.
|
|
|
|
// +listType=atomic
|
|
|
|
// +optional
|
|
|
|
repeated PolicyRulesWithSubjects rules = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// FlowSchemaStatus represents the current state of a FlowSchema.
|
|
|
|
message FlowSchemaStatus {
|
|
|
|
// `conditions` is a list of the current states of FlowSchema.
|
|
|
|
// +listType=map
|
|
|
|
// +listMapKey=type
|
|
|
|
// +optional
|
|
|
|
repeated FlowSchemaCondition conditions = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// GroupSubject holds detailed information for group-kind subject.
|
|
|
|
message GroupSubject {
|
|
|
|
// name is the user group that matches, or "*" to match all user groups.
|
|
|
|
// See https://github.com/kubernetes/apiserver/blob/master/pkg/authentication/user/user.go for some
|
|
|
|
// well-known group names.
|
|
|
|
// Required.
|
|
|
|
optional string name = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// LimitResponse defines how to handle requests that can not be executed right now.
|
|
|
|
// +union
|
|
|
|
message LimitResponse {
|
|
|
|
// `type` is "Queue" or "Reject".
|
|
|
|
// "Queue" means that requests that can not be executed upon arrival
|
|
|
|
// are held in a queue until they can be executed or a queuing limit
|
|
|
|
// is reached.
|
|
|
|
// "Reject" means that requests that can not be executed upon arrival
|
|
|
|
// are rejected.
|
|
|
|
// Required.
|
|
|
|
// +unionDiscriminator
|
|
|
|
optional string type = 1;
|
|
|
|
|
|
|
|
// `queuing` holds the configuration parameters for queuing.
|
|
|
|
// This field may be non-empty only if `type` is `"Queue"`.
|
|
|
|
// +optional
|
|
|
|
optional QueuingConfiguration queuing = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// LimitedPriorityLevelConfiguration specifies how to handle requests that are subject to limits.
|
|
|
|
// It addresses two issues:
|
2022-08-24 02:24:25 +00:00
|
|
|
// - How are requests for this priority level limited?
|
|
|
|
// - What should be done with requests that exceed the limit?
|
2021-12-08 13:50:47 +00:00
|
|
|
message LimitedPriorityLevelConfiguration {
|
|
|
|
// `assuredConcurrencyShares` (ACS) configures the execution
|
|
|
|
// limit, which is a limit on the number of requests of this
|
|
|
|
// priority level that may be exeucting at a given time. ACS must
|
|
|
|
// be a positive number. The server's concurrency limit (SCL) is
|
|
|
|
// divided among the concurrency-controlled priority levels in
|
|
|
|
// proportion to their assured concurrency shares. This produces
|
|
|
|
// the assured concurrency value (ACV) --- the number of requests
|
|
|
|
// that may be executing at a time --- for each such priority
|
|
|
|
// level:
|
|
|
|
//
|
|
|
|
// ACV(l) = ceil( SCL * ACS(l) / ( sum[priority levels k] ACS(k) ) )
|
|
|
|
//
|
|
|
|
// bigger numbers of ACS mean more reserved concurrent requests (at the
|
|
|
|
// expense of every other PL).
|
|
|
|
// This field has a default value of 30.
|
|
|
|
// +optional
|
|
|
|
optional int32 assuredConcurrencyShares = 1;
|
|
|
|
|
|
|
|
// `limitResponse` indicates what to do with requests that can not be executed right now
|
|
|
|
optional LimitResponse limitResponse = 2;
|
2023-02-01 17:06:36 +00:00
|
|
|
|
|
|
|
// `lendablePercent` prescribes the fraction of the level's NominalCL that
|
|
|
|
// can be borrowed by other priority levels. The value of this
|
|
|
|
// field must be between 0 and 100, inclusive, and it defaults to 0.
|
|
|
|
// The number of seats that other levels can borrow from this level, known
|
|
|
|
// as this level's LendableConcurrencyLimit (LendableCL), is defined as follows.
|
|
|
|
//
|
|
|
|
// LendableCL(i) = round( NominalCL(i) * lendablePercent(i)/100.0 )
|
|
|
|
//
|
|
|
|
// +optional
|
|
|
|
optional int32 lendablePercent = 3;
|
|
|
|
|
|
|
|
// `borrowingLimitPercent`, if present, configures a limit on how many
|
|
|
|
// seats this priority level can borrow from other priority levels.
|
|
|
|
// The limit is known as this level's BorrowingConcurrencyLimit
|
|
|
|
// (BorrowingCL) and is a limit on the total number of seats that this
|
|
|
|
// level may borrow at any one time.
|
|
|
|
// This field holds the ratio of that limit to the level's nominal
|
|
|
|
// concurrency limit. When this field is non-nil, it must hold a
|
|
|
|
// non-negative integer and the limit is calculated as follows.
|
|
|
|
//
|
|
|
|
// BorrowingCL(i) = round( NominalCL(i) * borrowingLimitPercent(i)/100.0 )
|
|
|
|
//
|
|
|
|
// The value of this field can be more than 100, implying that this
|
|
|
|
// priority level can borrow a number of seats that is greater than
|
|
|
|
// its own nominal concurrency limit (NominalCL).
|
|
|
|
// When this field is left `nil`, the limit is effectively infinite.
|
|
|
|
// +optional
|
|
|
|
optional int32 borrowingLimitPercent = 4;
|
2021-12-08 13:50:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
// NonResourcePolicyRule is a predicate that matches non-resource requests according to their verb and the
|
|
|
|
// target non-resource URL. A NonResourcePolicyRule matches a request if and only if both (a) at least one member
|
|
|
|
// of verbs matches the request and (b) at least one member of nonResourceURLs matches the request.
|
|
|
|
message NonResourcePolicyRule {
|
|
|
|
// `verbs` is a list of matching verbs and may not be empty.
|
|
|
|
// "*" matches all verbs. If it is present, it must be the only entry.
|
|
|
|
// +listType=set
|
|
|
|
// Required.
|
|
|
|
repeated string verbs = 1;
|
|
|
|
|
|
|
|
// `nonResourceURLs` is a set of url prefixes that a user should have access to and may not be empty.
|
|
|
|
// For example:
|
|
|
|
// - "/healthz" is legal
|
|
|
|
// - "/hea*" is illegal
|
|
|
|
// - "/hea" is legal but matches nothing
|
|
|
|
// - "/hea/*" also matches nothing
|
|
|
|
// - "/healthz/*" matches all per-component health checks.
|
|
|
|
// "*" matches all non-resource urls. if it is present, it must be the only entry.
|
|
|
|
// +listType=set
|
|
|
|
// Required.
|
|
|
|
repeated string nonResourceURLs = 6;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PolicyRulesWithSubjects prescribes a test that applies to a request to an apiserver. The test considers the subject
|
|
|
|
// making the request, the verb being requested, and the resource to be acted upon. This PolicyRulesWithSubjects matches
|
|
|
|
// a request if and only if both (a) at least one member of subjects matches the request and (b) at least one member
|
|
|
|
// of resourceRules or nonResourceRules matches the request.
|
|
|
|
message PolicyRulesWithSubjects {
|
|
|
|
// subjects is the list of normal user, serviceaccount, or group that this rule cares about.
|
|
|
|
// There must be at least one member in this slice.
|
|
|
|
// A slice that includes both the system:authenticated and system:unauthenticated user groups matches every request.
|
|
|
|
// +listType=atomic
|
|
|
|
// Required.
|
|
|
|
repeated Subject subjects = 1;
|
|
|
|
|
|
|
|
// `resourceRules` is a slice of ResourcePolicyRules that identify matching requests according to their verb and the
|
|
|
|
// target resource.
|
|
|
|
// At least one of `resourceRules` and `nonResourceRules` has to be non-empty.
|
|
|
|
// +listType=atomic
|
|
|
|
// +optional
|
|
|
|
repeated ResourcePolicyRule resourceRules = 2;
|
|
|
|
|
|
|
|
// `nonResourceRules` is a list of NonResourcePolicyRules that identify matching requests according to their verb
|
|
|
|
// and the target non-resource URL.
|
|
|
|
// +listType=atomic
|
|
|
|
// +optional
|
|
|
|
repeated NonResourcePolicyRule nonResourceRules = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PriorityLevelConfiguration represents the configuration of a priority level.
|
|
|
|
message PriorityLevelConfiguration {
|
|
|
|
// `metadata` is the standard object's metadata.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
|
|
|
|
// `spec` is the specification of the desired behavior of a "request-priority".
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
// +optional
|
|
|
|
optional PriorityLevelConfigurationSpec spec = 2;
|
|
|
|
|
|
|
|
// `status` is the current status of a "request-priority".
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
|
|
|
|
// +optional
|
|
|
|
optional PriorityLevelConfigurationStatus status = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PriorityLevelConfigurationCondition defines the condition of priority level.
|
|
|
|
message PriorityLevelConfigurationCondition {
|
|
|
|
// `type` is the type of the condition.
|
|
|
|
// Required.
|
|
|
|
optional string type = 1;
|
|
|
|
|
|
|
|
// `status` is the status of the condition.
|
|
|
|
// Can be True, False, Unknown.
|
|
|
|
// Required.
|
|
|
|
optional string status = 2;
|
|
|
|
|
|
|
|
// `lastTransitionTime` is the last time the condition transitioned from one status to another.
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
|
|
|
|
|
|
|
|
// `reason` is a unique, one-word, CamelCase reason for the condition's last transition.
|
|
|
|
optional string reason = 4;
|
|
|
|
|
|
|
|
// `message` is a human-readable message indicating details about last transition.
|
|
|
|
optional string message = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PriorityLevelConfigurationList is a list of PriorityLevelConfiguration objects.
|
|
|
|
message PriorityLevelConfigurationList {
|
|
|
|
// `metadata` is the standard object's metadata.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
|
|
|
|
// `items` is a list of request-priorities.
|
|
|
|
repeated PriorityLevelConfiguration items = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PriorityLevelConfigurationReference contains information that points to the "request-priority" being used.
|
|
|
|
message PriorityLevelConfigurationReference {
|
|
|
|
// `name` is the name of the priority level configuration being referenced
|
|
|
|
// Required.
|
|
|
|
optional string name = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PriorityLevelConfigurationSpec specifies the configuration of a priority level.
|
|
|
|
// +union
|
|
|
|
message PriorityLevelConfigurationSpec {
|
|
|
|
// `type` indicates whether this priority level is subject to
|
|
|
|
// limitation on request execution. A value of `"Exempt"` means
|
|
|
|
// that requests of this priority level are not subject to a limit
|
|
|
|
// (and thus are never queued) and do not detract from the
|
|
|
|
// capacity made available to other priority levels. A value of
|
|
|
|
// `"Limited"` means that (a) requests of this priority level
|
|
|
|
// _are_ subject to limits and (b) some of the server's limited
|
|
|
|
// capacity is made available exclusively to this priority level.
|
|
|
|
// Required.
|
|
|
|
// +unionDiscriminator
|
|
|
|
optional string type = 1;
|
|
|
|
|
|
|
|
// `limited` specifies how requests are handled for a Limited priority level.
|
|
|
|
// This field must be non-empty if and only if `type` is `"Limited"`.
|
|
|
|
// +optional
|
|
|
|
optional LimitedPriorityLevelConfiguration limited = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// PriorityLevelConfigurationStatus represents the current state of a "request-priority".
|
|
|
|
message PriorityLevelConfigurationStatus {
|
|
|
|
// `conditions` is the current state of "request-priority".
|
|
|
|
// +listType=map
|
|
|
|
// +listMapKey=type
|
|
|
|
// +optional
|
|
|
|
repeated PriorityLevelConfigurationCondition conditions = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// QueuingConfiguration holds the configuration parameters for queuing
|
|
|
|
message QueuingConfiguration {
|
|
|
|
// `queues` is the number of queues for this priority level. The
|
|
|
|
// queues exist independently at each apiserver. The value must be
|
|
|
|
// positive. Setting it to 1 effectively precludes
|
|
|
|
// shufflesharding and thus makes the distinguisher method of
|
|
|
|
// associated flow schemas irrelevant. This field has a default
|
|
|
|
// value of 64.
|
|
|
|
// +optional
|
|
|
|
optional int32 queues = 1;
|
|
|
|
|
|
|
|
// `handSize` is a small positive number that configures the
|
|
|
|
// shuffle sharding of requests into queues. When enqueuing a request
|
|
|
|
// at this priority level the request's flow identifier (a string
|
|
|
|
// pair) is hashed and the hash value is used to shuffle the list
|
|
|
|
// of queues and deal a hand of the size specified here. The
|
|
|
|
// request is put into one of the shortest queues in that hand.
|
|
|
|
// `handSize` must be no larger than `queues`, and should be
|
|
|
|
// significantly smaller (so that a few heavy flows do not
|
|
|
|
// saturate most of the queues). See the user-facing
|
|
|
|
// documentation for more extensive guidance on setting this
|
|
|
|
// field. This field has a default value of 8.
|
|
|
|
// +optional
|
|
|
|
optional int32 handSize = 2;
|
|
|
|
|
|
|
|
// `queueLengthLimit` is the maximum number of requests allowed to
|
|
|
|
// be waiting in a given queue of this priority level at a time;
|
|
|
|
// excess requests are rejected. This value must be positive. If
|
|
|
|
// not specified, it will be defaulted to 50.
|
|
|
|
// +optional
|
|
|
|
optional int32 queueLengthLimit = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// ResourcePolicyRule is a predicate that matches some resource
|
|
|
|
// requests, testing the request's verb and the target resource. A
|
|
|
|
// ResourcePolicyRule matches a resource request if and only if: (a)
|
|
|
|
// at least one member of verbs matches the request, (b) at least one
|
|
|
|
// member of apiGroups matches the request, (c) at least one member of
|
|
|
|
// resources matches the request, and (d) either (d1) the request does
|
|
|
|
// not specify a namespace (i.e., `Namespace==""`) and clusterScope is
|
|
|
|
// true or (d2) the request specifies a namespace and least one member
|
|
|
|
// of namespaces matches the request's namespace.
|
|
|
|
message ResourcePolicyRule {
|
|
|
|
// `verbs` is a list of matching verbs and may not be empty.
|
|
|
|
// "*" matches all verbs and, if present, must be the only entry.
|
|
|
|
// +listType=set
|
|
|
|
// Required.
|
|
|
|
repeated string verbs = 1;
|
|
|
|
|
|
|
|
// `apiGroups` is a list of matching API groups and may not be empty.
|
|
|
|
// "*" matches all API groups and, if present, must be the only entry.
|
|
|
|
// +listType=set
|
|
|
|
// Required.
|
|
|
|
repeated string apiGroups = 2;
|
|
|
|
|
|
|
|
// `resources` is a list of matching resources (i.e., lowercase
|
|
|
|
// and plural) with, if desired, subresource. For example, [
|
|
|
|
// "services", "nodes/status" ]. This list may not be empty.
|
|
|
|
// "*" matches all resources and, if present, must be the only entry.
|
|
|
|
// Required.
|
|
|
|
// +listType=set
|
|
|
|
repeated string resources = 3;
|
|
|
|
|
|
|
|
// `clusterScope` indicates whether to match requests that do not
|
|
|
|
// specify a namespace (which happens either because the resource
|
|
|
|
// is not namespaced or the request targets all namespaces).
|
|
|
|
// If this field is omitted or false then the `namespaces` field
|
|
|
|
// must contain a non-empty list.
|
|
|
|
// +optional
|
|
|
|
optional bool clusterScope = 4;
|
|
|
|
|
|
|
|
// `namespaces` is a list of target namespaces that restricts
|
|
|
|
// matches. A request that specifies a target namespace matches
|
|
|
|
// only if either (a) this list contains that target namespace or
|
|
|
|
// (b) this list contains "*". Note that "*" matches any
|
|
|
|
// specified namespace but does not match a request that _does
|
|
|
|
// not specify_ a namespace (see the `clusterScope` field for
|
|
|
|
// that).
|
|
|
|
// This list may be empty, but only if `clusterScope` is true.
|
|
|
|
// +optional
|
|
|
|
// +listType=set
|
|
|
|
repeated string namespaces = 5;
|
|
|
|
}
|
|
|
|
|
|
|
|
// ServiceAccountSubject holds detailed information for service-account-kind subject.
|
|
|
|
message ServiceAccountSubject {
|
|
|
|
// `namespace` is the namespace of matching ServiceAccount objects.
|
|
|
|
// Required.
|
|
|
|
optional string namespace = 1;
|
|
|
|
|
|
|
|
// `name` is the name of matching ServiceAccount objects, or "*" to match regardless of name.
|
|
|
|
// Required.
|
|
|
|
optional string name = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Subject matches the originator of a request, as identified by the request authentication system. There are three
|
|
|
|
// ways of matching an originator; by user, group, or service account.
|
|
|
|
// +union
|
|
|
|
message Subject {
|
|
|
|
// `kind` indicates which one of the other fields is non-empty.
|
|
|
|
// Required
|
|
|
|
// +unionDiscriminator
|
|
|
|
optional string kind = 1;
|
|
|
|
|
|
|
|
// `user` matches based on username.
|
|
|
|
// +optional
|
|
|
|
optional UserSubject user = 2;
|
|
|
|
|
|
|
|
// `group` matches based on user group name.
|
|
|
|
// +optional
|
|
|
|
optional GroupSubject group = 3;
|
|
|
|
|
|
|
|
// `serviceAccount` matches ServiceAccounts.
|
|
|
|
// +optional
|
|
|
|
optional ServiceAccountSubject serviceAccount = 4;
|
|
|
|
}
|
|
|
|
|
|
|
|
// UserSubject holds detailed information for user-kind subject.
|
|
|
|
message UserSubject {
|
|
|
|
// `name` is the username that matches, or "*" to match all usernames.
|
|
|
|
// Required.
|
|
|
|
optional string name = 1;
|
|
|
|
}
|
|
|
|
|