// This file was autogenerated by go-to-protobuf. Do not edit it manually!

syntax = "proto2";

package github.com.openshift.api.security.v1;

import "k8s.io/api/core/v1/generated.proto";
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";

// Package-wide variables from generator "generated".
option go_package = "github.com/openshift/api/security/v1";

// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
message AllowedFlexVolume {
  // Driver is the name of the Flexvolume driver.
  optional string driver = 1;
}

// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
message FSGroupStrategyOptions {
  // Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
  optional string type = 1;

  // Ranges are the allowed ranges of fs groups.  If you would like to force a single
  // fs group then supply a single range with the same start and end.
  repeated IDRange ranges = 2;
}

// IDRange provides a min/max of an allowed range of IDs.
// TODO: this could be reused for UIDs.
message IDRange {
  // Min is the start of the range, inclusive.
  optional int64 min = 1;

  // Max is the end of the range, inclusive.
  optional int64 max = 2;
}

// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
//
// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=2
message PodSecurityPolicyReview {
  // spec is the PodSecurityPolicy to check.
  optional PodSecurityPolicyReviewSpec spec = 1;

  // status represents the current information/status for the PodSecurityPolicyReview.
  optional PodSecurityPolicyReviewStatus status = 2;
}

// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
message PodSecurityPolicyReviewSpec {
  // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used
  // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty,
  // in which case "default" is used.
  // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
  optional k8s.io.api.core.v1.PodTemplateSpec template = 1;

  // serviceAccountNames is an optional set of ServiceAccounts to run the check with.
  // If serviceAccountNames is empty, the template.spec.serviceAccountName is used,
  // unless it's empty, in which case "default" is used instead.
  // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
  repeated string serviceAccountNames = 2;
}

// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
message PodSecurityPolicyReviewStatus {
  // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
  repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1;
}

// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
//
// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=2
message PodSecurityPolicySelfSubjectReview {
  // spec defines specification the PodSecurityPolicySelfSubjectReview.
  optional PodSecurityPolicySelfSubjectReviewSpec spec = 1;

  // status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
  optional PodSecurityPolicySubjectReviewStatus status = 2;
}

// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
message PodSecurityPolicySelfSubjectReviewSpec {
  // template is the PodTemplateSpec to check.
  optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
}

// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
//
// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=2
message PodSecurityPolicySubjectReview {
  // spec defines specification for the PodSecurityPolicySubjectReview.
  optional PodSecurityPolicySubjectReviewSpec spec = 1;

  // status represents the current information/status for the PodSecurityPolicySubjectReview.
  optional PodSecurityPolicySubjectReviewStatus status = 2;
}

// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
message PodSecurityPolicySubjectReviewSpec {
  // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted.
  // If its non-empty, it will be checked.
  optional k8s.io.api.core.v1.PodTemplateSpec template = 1;

  // user is the user you're testing for.
  // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups.
  // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.
  optional string user = 2;

  // groups is the groups you're testing for.
  repeated string groups = 3;
}

// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
message PodSecurityPolicySubjectReviewStatus {
  // allowedBy is a reference to the rule that allows the PodTemplateSpec.
  // A rule can be a SecurityContextConstraint or a PodSecurityPolicy
  // A `nil`, indicates that it was denied.
  optional k8s.io.api.core.v1.ObjectReference allowedBy = 1;

  // A machine-readable description of why this operation is in the
  // "Failure" status. If this value is empty there
  // is no information available.
  optional string reason = 2;

  // template is the PodTemplateSpec after the defaulting is applied.
  optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
}

// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
//
// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
// +openshift:compatibility-gen:level=4
message RangeAllocation {
  // metadata is the standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
  optional string range = 2;

  // data is a byte array representing the serialized state of a range allocation.  It is a bitmap
  // with each bit set to one to represent a range is taken.
  optional bytes data = 3;
}

// RangeAllocationList is a list of RangeAllocations objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message RangeAllocationList {
  // metadata is the standard list's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // List of RangeAllocations.
  repeated RangeAllocation items = 2;
}

// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
message RunAsUserStrategyOptions {
  // Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
  optional string type = 1;

  // UID is the user id that containers must run as.  Required for the MustRunAs strategy if not using
  // namespace/service account allocated uids.
  optional int64 uid = 2;

  // UIDRangeMin defines the min value for a strategy that allocates by range.
  optional int64 uidRangeMin = 3;

  // UIDRangeMax defines the max value for a strategy that allocates by range.
  optional int64 uidRangeMax = 4;
}

// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
message SELinuxContextStrategyOptions {
  // Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
  optional string type = 1;

  // seLinuxOptions required to run as; required for MustRunAs
  optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
}

// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
// that will be applied to a container.
// For historical reasons SCC was exposed under the core Kubernetes API group.
// That exposure is deprecated and will be removed in a future release - users
// should instead use the security.openshift.io group to manage
// SecurityContextConstraints.
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged"
// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container"
// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext"
// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext"
// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs"
// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system"
// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins"
// +kubebuilder:singular=securitycontextconstraint
// +openshift:compatibility-gen:level=1
message SecurityContextConstraints {
  // metadata is the standard object's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;

  // Priority influences the sort order of SCCs when evaluating which SCCs to try first for
  // a given pod request based on access in the Users and Groups fields.  The higher the int, the
  // higher priority. An unset value is considered a 0 priority. If scores
  // for multiple SCCs are equal they will be sorted from most restrictive to
  // least restrictive. If both priorities and restrictions are equal the
  // SCCs will be sorted by name.
  // +nullable
  optional int32 priority = 2;

  // AllowPrivilegedContainer determines if a container can request to be run as privileged.
  optional bool allowPrivilegedContainer = 3;

  // DefaultAddCapabilities is the default set of capabilities that will be added to the container
  // unless the pod spec specifically drops the capability.  You may not list a capabiility in both
  // DefaultAddCapabilities and RequiredDropCapabilities.
  // +nullable
  repeated string defaultAddCapabilities = 4;

  // RequiredDropCapabilities are the capabilities that will be dropped from the container.  These
  // are required to be dropped and cannot be added.
  // +nullable
  repeated string requiredDropCapabilities = 5;

  // AllowedCapabilities is a list of capabilities that can be requested to add to the container.
  // Capabilities in this field maybe added at the pod author's discretion.
  // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
  // To allow all capabilities you may use '*'.
  // +nullable
  repeated string allowedCapabilities = 6;

  // AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
  // +k8s:conversion-gen=false
  optional bool allowHostDirVolumePlugin = 7;

  // Volumes is a white list of allowed volume plugins.  FSType corresponds directly with the field names
  // of a VolumeSource (azureFile, configMap, emptyDir).  To allow all volumes you may use "*".
  // To allow no volumes, set to ["none"].
  // +nullable
  repeated string volumes = 8;

  // AllowedFlexVolumes is a whitelist of allowed Flexvolumes.  Empty or nil indicates that all
  // Flexvolumes may be used.  This parameter is effective only when the usage of the Flexvolumes
  // is allowed in the "Volumes" field.
  // +optional
  // +nullable
  repeated AllowedFlexVolume allowedFlexVolumes = 21;

  // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
  optional bool allowHostNetwork = 9;

  // AllowHostPorts determines if the policy allows host ports in the containers.
  optional bool allowHostPorts = 10;

  // AllowHostPID determines if the policy allows host pid in the containers.
  optional bool allowHostPID = 11;

  // AllowHostIPC determines if the policy allows host ipc in the containers.
  optional bool allowHostIPC = 12;

  // DefaultAllowPrivilegeEscalation controls the default setting for whether a
  // process can gain more privileges than its parent process.
  // +optional
  // +nullable
  optional bool defaultAllowPrivilegeEscalation = 22;

  // AllowPrivilegeEscalation determines if a pod can request to allow
  // privilege escalation. If unspecified, defaults to true.
  // +optional
  // +nullable
  optional bool allowPrivilegeEscalation = 23;

  // SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
  // +nullable
  optional SELinuxContextStrategyOptions seLinuxContext = 13;

  // RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
  // +nullable
  optional RunAsUserStrategyOptions runAsUser = 14;

  // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
  // +nullable
  optional SupplementalGroupsStrategyOptions supplementalGroups = 15;

  // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
  // +nullable
  optional FSGroupStrategyOptions fsGroup = 16;

  // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
  // system.  If the container specifically requests to run with a non-read only root file system
  // the SCC should deny the pod.
  // If set to false the container may run with a read only root file system if it wishes but it
  // will not be forced to.
  optional bool readOnlyRootFilesystem = 17;

  // The users who have permissions to use this security context constraints
  // +optional
  // +nullable
  repeated string users = 18;

  // The groups that have permission to use this security context constraints
  // +optional
  // +nullable
  repeated string groups = 19;

  // SeccompProfiles lists the allowed profiles that may be set for the pod or
  // container's seccomp annotations.  An unset (nil) or empty value means that no profiles may
  // be specifid by the pod or container.	The wildcard '*' may be used to allow all profiles.  When
  // used to generate a value for a pod the first non-wildcard profile will be used as
  // the default.
  // +nullable
  repeated string seccompProfiles = 20;

  // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
  // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
  // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
  //
  // Examples:
  // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
  // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
  // +optional
  // +nullable
  repeated string allowedUnsafeSysctls = 24;

  // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
  // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
  // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
  //
  // Examples:
  // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
  // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
  // +optional
  // +nullable
  repeated string forbiddenSysctls = 25;
}

// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
//
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
// +openshift:compatibility-gen:level=1
message SecurityContextConstraintsList {
  // metadata is the standard list's metadata.
  // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
  optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;

  // List of security context constraints.
  repeated SecurityContextConstraints items = 2;
}

// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
message ServiceAccountPodSecurityPolicyReviewStatus {
  optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1;

  // name contains the allowed and the denied ServiceAccount name
  optional string name = 2;
}

// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
message SupplementalGroupsStrategyOptions {
  // Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
  optional string type = 1;

  // Ranges are the allowed ranges of supplemental groups.  If you would like to force a single
  // supplemental group then supply a single range with the same start and end.
  repeated IDRange ranges = 2;
}