mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-12-04 20:20:19 +00:00
5ea99fdd5b
This initial version of yamlgen generates deploy/scc.yaml based on the deployment artifact that is provided by the new api/deploy/ocp package. Signed-off-by: Niels de Vos <ndevos@redhat.com>
373 lines
17 KiB
Protocol Buffer
373 lines
17 KiB
Protocol Buffer
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
syntax = "proto2";
|
|
|
|
package github.com.openshift.api.security.v1;
|
|
|
|
import "k8s.io/api/core/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
// Package-wide variables from generator "generated".
|
|
option go_package = "v1";
|
|
|
|
// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
|
|
message AllowedFlexVolume {
|
|
// Driver is the name of the Flexvolume driver.
|
|
optional string driver = 1;
|
|
}
|
|
|
|
// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
|
|
message FSGroupStrategyOptions {
|
|
// Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
|
|
optional string type = 1;
|
|
|
|
// Ranges are the allowed ranges of fs groups. If you would like to force a single
|
|
// fs group then supply a single range with the same start and end.
|
|
repeated IDRange ranges = 2;
|
|
}
|
|
|
|
// IDRange provides a min/max of an allowed range of IDs.
|
|
// TODO: this could be reused for UIDs.
|
|
message IDRange {
|
|
// Min is the start of the range, inclusive.
|
|
optional int64 min = 1;
|
|
|
|
// Max is the end of the range, inclusive.
|
|
optional int64 max = 2;
|
|
}
|
|
|
|
// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +openshift:compatibility-gen:level=1
|
|
message PodSecurityPolicyReview {
|
|
// spec is the PodSecurityPolicy to check.
|
|
optional PodSecurityPolicyReviewSpec spec = 1;
|
|
|
|
// status represents the current information/status for the PodSecurityPolicyReview.
|
|
optional PodSecurityPolicyReviewStatus status = 2;
|
|
}
|
|
|
|
// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
|
|
message PodSecurityPolicyReviewSpec {
|
|
// template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used
|
|
// if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty,
|
|
// in which case "default" is used.
|
|
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
|
|
optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
|
|
|
|
// serviceAccountNames is an optional set of ServiceAccounts to run the check with.
|
|
// If serviceAccountNames is empty, the template.spec.serviceAccountName is used,
|
|
// unless it's empty, in which case "default" is used instead.
|
|
// If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
|
|
repeated string serviceAccountNames = 2;
|
|
}
|
|
|
|
// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
|
|
message PodSecurityPolicyReviewStatus {
|
|
// allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
|
|
repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1;
|
|
}
|
|
|
|
// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +openshift:compatibility-gen:level=1
|
|
message PodSecurityPolicySelfSubjectReview {
|
|
// spec defines specification the PodSecurityPolicySelfSubjectReview.
|
|
optional PodSecurityPolicySelfSubjectReviewSpec spec = 1;
|
|
|
|
// status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
|
|
optional PodSecurityPolicySubjectReviewStatus status = 2;
|
|
}
|
|
|
|
// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
|
|
message PodSecurityPolicySelfSubjectReviewSpec {
|
|
// template is the PodTemplateSpec to check.
|
|
optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
|
|
}
|
|
|
|
// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +openshift:compatibility-gen:level=1
|
|
message PodSecurityPolicySubjectReview {
|
|
// spec defines specification for the PodSecurityPolicySubjectReview.
|
|
optional PodSecurityPolicySubjectReviewSpec spec = 1;
|
|
|
|
// status represents the current information/status for the PodSecurityPolicySubjectReview.
|
|
optional PodSecurityPolicySubjectReviewStatus status = 2;
|
|
}
|
|
|
|
// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
|
|
message PodSecurityPolicySubjectReviewSpec {
|
|
// template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted.
|
|
// If its non-empty, it will be checked.
|
|
optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
|
|
|
|
// user is the user you're testing for.
|
|
// If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups.
|
|
// If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.
|
|
optional string user = 2;
|
|
|
|
// groups is the groups you're testing for.
|
|
repeated string groups = 3;
|
|
}
|
|
|
|
// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
|
|
message PodSecurityPolicySubjectReviewStatus {
|
|
// allowedBy is a reference to the rule that allows the PodTemplateSpec.
|
|
// A rule can be a SecurityContextConstraint or a PodSecurityPolicy
|
|
// A `nil`, indicates that it was denied.
|
|
optional k8s.io.api.core.v1.ObjectReference allowedBy = 1;
|
|
|
|
// A machine-readable description of why this operation is in the
|
|
// "Failure" status. If this value is empty there
|
|
// is no information available.
|
|
optional string reason = 2;
|
|
|
|
// template is the PodTemplateSpec after the defaulting is applied.
|
|
optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
|
|
}
|
|
|
|
// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +openshift:compatibility-gen:level=1
|
|
message RangeAllocation {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
|
|
optional string range = 2;
|
|
|
|
// data is a byte array representing the serialized state of a range allocation. It is a bitmap
|
|
// with each bit set to one to represent a range is taken.
|
|
optional bytes data = 3;
|
|
}
|
|
|
|
// RangeAllocationList is a list of RangeAllocations objects
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +openshift:compatibility-gen:level=1
|
|
message RangeAllocationList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// List of RangeAllocations.
|
|
repeated RangeAllocation items = 2;
|
|
}
|
|
|
|
// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
|
|
message RunAsUserStrategyOptions {
|
|
// Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
|
|
optional string type = 1;
|
|
|
|
// UID is the user id that containers must run as. Required for the MustRunAs strategy if not using
|
|
// namespace/service account allocated uids.
|
|
optional int64 uid = 2;
|
|
|
|
// UIDRangeMin defines the min value for a strategy that allocates by range.
|
|
optional int64 uidRangeMin = 3;
|
|
|
|
// UIDRangeMax defines the max value for a strategy that allocates by range.
|
|
optional int64 uidRangeMax = 4;
|
|
}
|
|
|
|
// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
|
|
message SELinuxContextStrategyOptions {
|
|
// Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
|
|
optional string type = 1;
|
|
|
|
// seLinuxOptions required to run as; required for MustRunAs
|
|
optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
|
|
}
|
|
|
|
// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
|
|
// that will be applied to a container.
|
|
// For historical reasons SCC was exposed under the core Kubernetes API group.
|
|
// That exposure is deprecated and will be removed in a future release - users
|
|
// should instead use the security.openshift.io group to manage
|
|
// SecurityContextConstraints.
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged"
|
|
// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container"
|
|
// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext"
|
|
// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
|
|
// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext"
|
|
// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
|
|
// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs"
|
|
// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system"
|
|
// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins"
|
|
// +kubebuilder:singular=securitycontextconstraint
|
|
// +openshift:compatibility-gen:level=1
|
|
message SecurityContextConstraints {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
// Priority influences the sort order of SCCs when evaluating which SCCs to try first for
|
|
// a given pod request based on access in the Users and Groups fields. The higher the int, the
|
|
// higher priority. An unset value is considered a 0 priority. If scores
|
|
// for multiple SCCs are equal they will be sorted from most restrictive to
|
|
// least restrictive. If both priorities and restrictions are equal the
|
|
// SCCs will be sorted by name.
|
|
// +nullable
|
|
optional int32 priority = 2;
|
|
|
|
// AllowPrivilegedContainer determines if a container can request to be run as privileged.
|
|
optional bool allowPrivilegedContainer = 3;
|
|
|
|
// DefaultAddCapabilities is the default set of capabilities that will be added to the container
|
|
// unless the pod spec specifically drops the capability. You may not list a capabiility in both
|
|
// DefaultAddCapabilities and RequiredDropCapabilities.
|
|
// +nullable
|
|
repeated string defaultAddCapabilities = 4;
|
|
|
|
// RequiredDropCapabilities are the capabilities that will be dropped from the container. These
|
|
// are required to be dropped and cannot be added.
|
|
// +nullable
|
|
repeated string requiredDropCapabilities = 5;
|
|
|
|
// AllowedCapabilities is a list of capabilities that can be requested to add to the container.
|
|
// Capabilities in this field maybe added at the pod author's discretion.
|
|
// You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
|
|
// To allow all capabilities you may use '*'.
|
|
// +nullable
|
|
repeated string allowedCapabilities = 6;
|
|
|
|
// AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
|
|
// +k8s:conversion-gen=false
|
|
optional bool allowHostDirVolumePlugin = 7;
|
|
|
|
// Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
|
|
// of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
|
|
// To allow no volumes, set to ["none"].
|
|
// +nullable
|
|
repeated string volumes = 8;
|
|
|
|
// AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
|
|
// Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
|
|
// is allowed in the "Volumes" field.
|
|
// +optional
|
|
// +nullable
|
|
repeated AllowedFlexVolume allowedFlexVolumes = 21;
|
|
|
|
// AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
|
|
optional bool allowHostNetwork = 9;
|
|
|
|
// AllowHostPorts determines if the policy allows host ports in the containers.
|
|
optional bool allowHostPorts = 10;
|
|
|
|
// AllowHostPID determines if the policy allows host pid in the containers.
|
|
optional bool allowHostPID = 11;
|
|
|
|
// AllowHostIPC determines if the policy allows host ipc in the containers.
|
|
optional bool allowHostIPC = 12;
|
|
|
|
// DefaultAllowPrivilegeEscalation controls the default setting for whether a
|
|
// process can gain more privileges than its parent process.
|
|
// +optional
|
|
// +nullable
|
|
optional bool defaultAllowPrivilegeEscalation = 22;
|
|
|
|
// AllowPrivilegeEscalation determines if a pod can request to allow
|
|
// privilege escalation. If unspecified, defaults to true.
|
|
// +optional
|
|
// +nullable
|
|
optional bool allowPrivilegeEscalation = 23;
|
|
|
|
// SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
|
|
// +nullable
|
|
optional SELinuxContextStrategyOptions seLinuxContext = 13;
|
|
|
|
// RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
|
|
// +nullable
|
|
optional RunAsUserStrategyOptions runAsUser = 14;
|
|
|
|
// SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
|
|
// +nullable
|
|
optional SupplementalGroupsStrategyOptions supplementalGroups = 15;
|
|
|
|
// FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
|
|
// +nullable
|
|
optional FSGroupStrategyOptions fsGroup = 16;
|
|
|
|
// ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
|
|
// system. If the container specifically requests to run with a non-read only root file system
|
|
// the SCC should deny the pod.
|
|
// If set to false the container may run with a read only root file system if it wishes but it
|
|
// will not be forced to.
|
|
optional bool readOnlyRootFilesystem = 17;
|
|
|
|
// The users who have permissions to use this security context constraints
|
|
// +optional
|
|
// +nullable
|
|
repeated string users = 18;
|
|
|
|
// The groups that have permission to use this security context constraints
|
|
// +optional
|
|
// +nullable
|
|
repeated string groups = 19;
|
|
|
|
// SeccompProfiles lists the allowed profiles that may be set for the pod or
|
|
// container's seccomp annotations. An unset (nil) or empty value means that no profiles may
|
|
// be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When
|
|
// used to generate a value for a pod the first non-wildcard profile will be used as
|
|
// the default.
|
|
// +nullable
|
|
repeated string seccompProfiles = 20;
|
|
|
|
// AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
|
|
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
|
|
// as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
|
|
// Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
|
|
//
|
|
// Examples:
|
|
// e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
|
|
// e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
|
|
// +optional
|
|
// +nullable
|
|
repeated string allowedUnsafeSysctls = 24;
|
|
|
|
// ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
|
|
// Each entry is either a plain sysctl name or ends in "*" in which case it is considered
|
|
// as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
|
|
//
|
|
// Examples:
|
|
// e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
|
|
// e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
|
|
// +optional
|
|
// +nullable
|
|
repeated string forbiddenSysctls = 25;
|
|
}
|
|
|
|
// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
|
|
//
|
|
// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
|
|
// +openshift:compatibility-gen:level=1
|
|
message SecurityContextConstraintsList {
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
// List of security context constraints.
|
|
repeated SecurityContextConstraints items = 2;
|
|
}
|
|
|
|
// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
|
|
message ServiceAccountPodSecurityPolicyReviewStatus {
|
|
optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1;
|
|
|
|
// name contains the allowed and the denied ServiceAccount name
|
|
optional string name = 2;
|
|
}
|
|
|
|
// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
|
|
message SupplementalGroupsStrategyOptions {
|
|
// Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
|
|
optional string type = 1;
|
|
|
|
// Ranges are the allowed ranges of supplemental groups. If you would like to force a single
|
|
// supplemental group then supply a single range with the same start and end.
|
|
repeated IDRange ranges = 2;
|
|
}
|
|
|