// This file was autogenerated by go-to-protobuf. Do not edit it manually! syntax = "proto2"; package github.com.openshift.api.security.v1; import "k8s.io/api/core/v1/generated.proto"; import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto"; import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto"; // Package-wide variables from generator "generated". option go_package = "github.com/openshift/api/security/v1"; // AllowedFlexVolume represents a single Flexvolume that is allowed to be used. message AllowedFlexVolume { // Driver is the name of the Flexvolume driver. optional string driver = 1; } // FSGroupStrategyOptions defines the strategy type and options used to create the strategy. message FSGroupStrategyOptions { // Type is the strategy that will dictate what FSGroup is used in the SecurityContext. optional string type = 1; // Ranges are the allowed ranges of fs groups. If you would like to force a single // fs group then supply a single range with the same start and end. repeated IDRange ranges = 2; } // IDRange provides a min/max of an allowed range of IDs. // TODO: this could be reused for UIDs. message IDRange { // Min is the start of the range, inclusive. optional int64 min = 1; // Max is the end of the range, inclusive. optional int64 max = 2; } // PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question. // // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=2 message PodSecurityPolicyReview { // spec is the PodSecurityPolicy to check. optional PodSecurityPolicyReviewSpec spec = 1; // status represents the current information/status for the PodSecurityPolicyReview. optional PodSecurityPolicyReviewStatus status = 2; } // PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview message PodSecurityPolicyReviewSpec { // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty, // in which case "default" is used. // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. optional k8s.io.api.core.v1.PodTemplateSpec template = 1; // serviceAccountNames is an optional set of ServiceAccounts to run the check with. // If serviceAccountNames is empty, the template.spec.serviceAccountName is used, // unless it's empty, in which case "default" is used instead. // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored. repeated string serviceAccountNames = 2; } // PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview. message PodSecurityPolicyReviewStatus { // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec. repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1; } // PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec // // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=2 message PodSecurityPolicySelfSubjectReview { // spec defines specification the PodSecurityPolicySelfSubjectReview. optional PodSecurityPolicySelfSubjectReviewSpec spec = 1; // status represents the current information/status for the PodSecurityPolicySelfSubjectReview. optional PodSecurityPolicySubjectReviewStatus status = 2; } // PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview. message PodSecurityPolicySelfSubjectReviewSpec { // template is the PodTemplateSpec to check. optional k8s.io.api.core.v1.PodTemplateSpec template = 1; } // PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec. // // Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=2 message PodSecurityPolicySubjectReview { // spec defines specification for the PodSecurityPolicySubjectReview. optional PodSecurityPolicySubjectReviewSpec spec = 1; // status represents the current information/status for the PodSecurityPolicySubjectReview. optional PodSecurityPolicySubjectReviewStatus status = 2; } // PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview message PodSecurityPolicySubjectReviewSpec { // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted. // If its non-empty, it will be checked. optional k8s.io.api.core.v1.PodTemplateSpec template = 1; // user is the user you're testing for. // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups. // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template. optional string user = 2; // groups is the groups you're testing for. repeated string groups = 3; } // PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview. message PodSecurityPolicySubjectReviewStatus { // allowedBy is a reference to the rule that allows the PodTemplateSpec. // A rule can be a SecurityContextConstraint or a PodSecurityPolicy // A `nil`, indicates that it was denied. optional k8s.io.api.core.v1.ObjectReference allowedBy = 1; // A machine-readable description of why this operation is in the // "Failure" status. If this value is empty there // is no information available. optional string reason = 2; // template is the PodTemplateSpec after the defaulting is applied. optional k8s.io.api.core.v1.PodTemplateSpec template = 3; } // RangeAllocation is used so we can easily expose a RangeAllocation typed for security group // // Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support. // +openshift:compatibility-gen:level=4 message RangeAllocation { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000". optional string range = 2; // data is a byte array representing the serialized state of a range allocation. It is a bitmap // with each bit set to one to represent a range is taken. optional bytes data = 3; } // RangeAllocationList is a list of RangeAllocations objects // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message RangeAllocationList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // List of RangeAllocations. repeated RangeAllocation items = 2; } // RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy. message RunAsUserStrategyOptions { // Type is the strategy that will dictate what RunAsUser is used in the SecurityContext. optional string type = 1; // UID is the user id that containers must run as. Required for the MustRunAs strategy if not using // namespace/service account allocated uids. optional int64 uid = 2; // UIDRangeMin defines the min value for a strategy that allocates by range. optional int64 uidRangeMin = 3; // UIDRangeMax defines the max value for a strategy that allocates by range. optional int64 uidRangeMax = 4; } // SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy. message SELinuxContextStrategyOptions { // Type is the strategy that will dictate what SELinux context is used in the SecurityContext. optional string type = 1; // seLinuxOptions required to run as; required for MustRunAs optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2; } // SecurityContextConstraints governs the ability to make requests that affect the SecurityContext // that will be applied to a container. // For historical reasons SCC was exposed under the core Kubernetes API group. // That exposure is deprecated and will be removed in a future release - users // should instead use the security.openshift.io group to manage // SecurityContextConstraints. // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged" // +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container" // +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext" // +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext" // +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext" // +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext" // +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs" // +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system" // +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins" // +kubebuilder:singular=securitycontextconstraint // +openshift:compatibility-gen:level=1 message SecurityContextConstraints { // metadata is the standard object's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1; // Priority influences the sort order of SCCs when evaluating which SCCs to try first for // a given pod request based on access in the Users and Groups fields. The higher the int, the // higher priority. An unset value is considered a 0 priority. If scores // for multiple SCCs are equal they will be sorted from most restrictive to // least restrictive. If both priorities and restrictions are equal the // SCCs will be sorted by name. // +nullable optional int32 priority = 2; // AllowPrivilegedContainer determines if a container can request to be run as privileged. optional bool allowPrivilegedContainer = 3; // DefaultAddCapabilities is the default set of capabilities that will be added to the container // unless the pod spec specifically drops the capability. You may not list a capabiility in both // DefaultAddCapabilities and RequiredDropCapabilities. // +nullable repeated string defaultAddCapabilities = 4; // RequiredDropCapabilities are the capabilities that will be dropped from the container. These // are required to be dropped and cannot be added. // +nullable repeated string requiredDropCapabilities = 5; // AllowedCapabilities is a list of capabilities that can be requested to add to the container. // Capabilities in this field maybe added at the pod author's discretion. // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities. // To allow all capabilities you may use '*'. // +nullable repeated string allowedCapabilities = 6; // AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin // +k8s:conversion-gen=false optional bool allowHostDirVolumePlugin = 7; // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*". // To allow no volumes, set to ["none"]. // +nullable repeated string volumes = 8; // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes // is allowed in the "Volumes" field. // +optional // +nullable repeated AllowedFlexVolume allowedFlexVolumes = 21; // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec. optional bool allowHostNetwork = 9; // AllowHostPorts determines if the policy allows host ports in the containers. optional bool allowHostPorts = 10; // AllowHostPID determines if the policy allows host pid in the containers. optional bool allowHostPID = 11; // AllowHostIPC determines if the policy allows host ipc in the containers. optional bool allowHostIPC = 12; // DefaultAllowPrivilegeEscalation controls the default setting for whether a // process can gain more privileges than its parent process. // +optional // +nullable optional bool defaultAllowPrivilegeEscalation = 22; // AllowPrivilegeEscalation determines if a pod can request to allow // privilege escalation. If unspecified, defaults to true. // +optional // +nullable optional bool allowPrivilegeEscalation = 23; // SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext. // +nullable optional SELinuxContextStrategyOptions seLinuxContext = 13; // RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext. // +nullable optional RunAsUserStrategyOptions runAsUser = 14; // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext. // +nullable optional SupplementalGroupsStrategyOptions supplementalGroups = 15; // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext. // +nullable optional FSGroupStrategyOptions fsGroup = 16; // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file // system. If the container specifically requests to run with a non-read only root file system // the SCC should deny the pod. // If set to false the container may run with a read only root file system if it wishes but it // will not be forced to. optional bool readOnlyRootFilesystem = 17; // The users who have permissions to use this security context constraints // +optional // +nullable repeated string users = 18; // The groups that have permission to use this security context constraints // +optional // +nullable repeated string groups = 19; // SeccompProfiles lists the allowed profiles that may be set for the pod or // container's seccomp annotations. An unset (nil) or empty value means that no profiles may // be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When // used to generate a value for a pod the first non-wildcard profile will be used as // the default. // +nullable repeated string seccompProfiles = 20; // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed. // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection. // // Examples: // e.g. "foo/*" allows "foo/bar", "foo/baz", etc. // e.g. "foo.*" allows "foo.bar", "foo.baz", etc. // +optional // +nullable repeated string allowedUnsafeSysctls = 24; // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none. // Each entry is either a plain sysctl name or ends in "*" in which case it is considered // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden. // // Examples: // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc. // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc. // +optional // +nullable repeated string forbiddenSysctls = 25; } // SecurityContextConstraintsList is a list of SecurityContextConstraints objects // // Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer). // +openshift:compatibility-gen:level=1 message SecurityContextConstraintsList { // metadata is the standard list's metadata. // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1; // List of security context constraints. repeated SecurityContextConstraints items = 2; } // ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status message ServiceAccountPodSecurityPolicyReviewStatus { optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1; // name contains the allowed and the denied ServiceAccount name optional string name = 2; } // SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy. message SupplementalGroupsStrategyOptions { // Type is the strategy that will dictate what supplemental groups is used in the SecurityContext. optional string type = 1; // Ranges are the allowed ranges of supplemental groups. If you would like to force a single // supplemental group then supply a single range with the same start and end. repeated IDRange ranges = 2; }