2021-10-01 12:08:56 +00:00
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
syntax = "proto2" ;
package github . com.openshift.api.security.v1 ;
import "k8s.io/api/core/v1/generated.proto" ;
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto" ;
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto" ;
// Package-wide variables from generator "generated".
2023-03-06 20:38:33 +00:00
option go_package = "github.com/openshift/api/security/v1" ;
2021-10-01 12:08:56 +00:00
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
message AllowedFlexVolume {
// Driver is the name of the Flexvolume driver.
optional string driver = 1 ;
}
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
message FSGroupStrategyOptions {
// Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
optional string type = 1 ;
// Ranges are the allowed ranges of fs groups. If you would like to force a single
// fs group then supply a single range with the same start and end.
repeated IDRange ranges = 2 ;
}
// IDRange provides a min/max of an allowed range of IDs.
// TODO: this could be reused for UIDs.
message IDRange {
// Min is the start of the range, inclusive.
optional int64 min = 1 ;
// Max is the end of the range, inclusive.
optional int64 max = 2 ;
}
// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
//
2023-03-06 20:38:33 +00:00
// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=2
2021-10-01 12:08:56 +00:00
message PodSecurityPolicyReview {
// spec is the PodSecurityPolicy to check.
optional PodSecurityPolicyReviewSpec spec = 1 ;
// status represents the current information/status for the PodSecurityPolicyReview.
optional PodSecurityPolicyReviewStatus status = 2 ;
}
// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
message PodSecurityPolicyReviewSpec {
// template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used
// if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty,
// in which case "default" is used.
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
optional k8s.io.api.core.v1.PodTemplateSpec template = 1 ;
// serviceAccountNames is an optional set of ServiceAccounts to run the check with.
// If serviceAccountNames is empty, the template.spec.serviceAccountName is used,
// unless it's empty, in which case "default" is used instead.
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
repeated string serviceAccountNames = 2 ;
}
// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
message PodSecurityPolicyReviewStatus {
// allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1 ;
}
// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
//
2023-03-06 20:38:33 +00:00
// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=2
2021-10-01 12:08:56 +00:00
message PodSecurityPolicySelfSubjectReview {
// spec defines specification the PodSecurityPolicySelfSubjectReview.
optional PodSecurityPolicySelfSubjectReviewSpec spec = 1 ;
// status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
optional PodSecurityPolicySubjectReviewStatus status = 2 ;
}
// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
message PodSecurityPolicySelfSubjectReviewSpec {
// template is the PodTemplateSpec to check.
optional k8s.io.api.core.v1.PodTemplateSpec template = 1 ;
}
// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
//
2023-03-06 20:38:33 +00:00
// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=2
2021-10-01 12:08:56 +00:00
message PodSecurityPolicySubjectReview {
// spec defines specification for the PodSecurityPolicySubjectReview.
optional PodSecurityPolicySubjectReviewSpec spec = 1 ;
// status represents the current information/status for the PodSecurityPolicySubjectReview.
optional PodSecurityPolicySubjectReviewStatus status = 2 ;
}
// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
message PodSecurityPolicySubjectReviewSpec {
// template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted.
// If its non-empty, it will be checked.
optional k8s.io.api.core.v1.PodTemplateSpec template = 1 ;
// user is the user you're testing for.
// If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups.
// If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.
optional string user = 2 ;
// groups is the groups you're testing for.
repeated string groups = 3 ;
}
// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
message PodSecurityPolicySubjectReviewStatus {
// allowedBy is a reference to the rule that allows the PodTemplateSpec.
// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
// A `nil`, indicates that it was denied.
optional k8s.io.api.core.v1.ObjectReference allowedBy = 1 ;
// A machine-readable description of why this operation is in the
// "Failure" status. If this value is empty there
// is no information available.
optional string reason = 2 ;
// template is the PodTemplateSpec after the defaulting is applied.
optional k8s.io.api.core.v1.PodTemplateSpec template = 3 ;
}
// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
//
2023-03-06 20:38:33 +00:00
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
// +openshift:compatibility-gen:level=4
2021-10-01 12:08:56 +00:00
message RangeAllocation {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1 ;
// range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
optional string range = 2 ;
// data is a byte array representing the serialized state of a range allocation. It is a bitmap
// with each bit set to one to represent a range is taken.
optional bytes data = 3 ;
}
// RangeAllocationList is a list of RangeAllocations objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message RangeAllocationList {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1 ;
// List of RangeAllocations.
repeated RangeAllocation items = 2 ;
}
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
message RunAsUserStrategyOptions {
// Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
optional string type = 1 ;
// UID is the user id that containers must run as. Required for the MustRunAs strategy if not using
// namespace/service account allocated uids.
optional int64 uid = 2 ;
// UIDRangeMin defines the min value for a strategy that allocates by range.
optional int64 uidRangeMin = 3 ;
// UIDRangeMax defines the max value for a strategy that allocates by range.
optional int64 uidRangeMax = 4 ;
}
// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
message SELinuxContextStrategyOptions {
// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
optional string type = 1 ;
// seLinuxOptions required to run as; required for MustRunAs
optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2 ;
}
// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
// that will be applied to a container.
// For historical reasons SCC was exposed under the core Kubernetes API group.
// That exposure is deprecated and will be removed in a future release - users
// should instead use the security.openshift.io group to manage
// SecurityContextConstraints.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged"
// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container"
// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext"
// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext"
// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs"
// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system"
// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins"
// +kubebuilder:singular=securitycontextconstraint
// +openshift:compatibility-gen:level=1
message SecurityContextConstraints {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1 ;
// Priority influences the sort order of SCCs when evaluating which SCCs to try first for
// a given pod request based on access in the Users and Groups fields. The higher the int, the
// higher priority. An unset value is considered a 0 priority. If scores
// for multiple SCCs are equal they will be sorted from most restrictive to
// least restrictive. If both priorities and restrictions are equal the
// SCCs will be sorted by name.
// +nullable
optional int32 priority = 2 ;
// AllowPrivilegedContainer determines if a container can request to be run as privileged.
optional bool allowPrivilegedContainer = 3 ;
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
// unless the pod spec specifically drops the capability. You may not list a capabiility in both
// DefaultAddCapabilities and RequiredDropCapabilities.
// +nullable
repeated string defaultAddCapabilities = 4 ;
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
// are required to be dropped and cannot be added.
// +nullable
repeated string requiredDropCapabilities = 5 ;
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
// Capabilities in this field maybe added at the pod author's discretion.
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
// To allow all capabilities you may use '*'.
// +nullable
repeated string allowedCapabilities = 6 ;
// AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
// +k8s:conversion-gen=false
optional bool allowHostDirVolumePlugin = 7 ;
// Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
// of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
// To allow no volumes, set to ["none"].
// +nullable
repeated string volumes = 8 ;
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
// is allowed in the "Volumes" field.
// +optional
// +nullable
repeated AllowedFlexVolume allowedFlexVolumes = 21 ;
// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
optional bool allowHostNetwork = 9 ;
// AllowHostPorts determines if the policy allows host ports in the containers.
optional bool allowHostPorts = 10 ;
// AllowHostPID determines if the policy allows host pid in the containers.
optional bool allowHostPID = 11 ;
// AllowHostIPC determines if the policy allows host ipc in the containers.
optional bool allowHostIPC = 12 ;
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
// process can gain more privileges than its parent process.
// +optional
// +nullable
optional bool defaultAllowPrivilegeEscalation = 22 ;
// AllowPrivilegeEscalation determines if a pod can request to allow
// privilege escalation. If unspecified, defaults to true.
// +optional
// +nullable
optional bool allowPrivilegeEscalation = 23 ;
// SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
// +nullable
optional SELinuxContextStrategyOptions seLinuxContext = 13 ;
// RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
// +nullable
optional RunAsUserStrategyOptions runAsUser = 14 ;
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
// +nullable
optional SupplementalGroupsStrategyOptions supplementalGroups = 15 ;
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
// +nullable
optional FSGroupStrategyOptions fsGroup = 16 ;
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
// system. If the container specifically requests to run with a non-read only root file system
// the SCC should deny the pod.
// If set to false the container may run with a read only root file system if it wishes but it
// will not be forced to.
optional bool readOnlyRootFilesystem = 17 ;
// The users who have permissions to use this security context constraints
// +optional
// +nullable
repeated string users = 18 ;
// The groups that have permission to use this security context constraints
// +optional
// +nullable
repeated string groups = 19 ;
// SeccompProfiles lists the allowed profiles that may be set for the pod or
// container's seccomp annotations. An unset (nil) or empty value means that no profiles may
// be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When
// used to generate a value for a pod the first non-wildcard profile will be used as
// the default.
// +nullable
repeated string seccompProfiles = 20 ;
// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
//
// Examples:
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
// +optional
// +nullable
repeated string allowedUnsafeSysctls = 24 ;
// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
//
// Examples:
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
// +optional
// +nullable
repeated string forbiddenSysctls = 25 ;
}
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message SecurityContextConstraintsList {
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1 ;
// List of security context constraints.
repeated SecurityContextConstraints items = 2 ;
}
// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
message ServiceAccountPodSecurityPolicyReviewStatus {
optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1 ;
// name contains the allowed and the denied ServiceAccount name
optional string name = 2 ;
}
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
message SupplementalGroupsStrategyOptions {
// Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
optional string type = 1 ;
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
// supplemental group then supply a single range with the same start and end.
repeated IDRange ranges = 2 ;
}