git subrepo clone (merge) https://github.com/kubernetes-incubator/metrics-server.git metrics-server
subrepo:
subdir: "metrics-server"
merged: "92d8412"
upstream:
origin: "https://github.com/kubernetes-incubator/metrics-server.git"
branch: "master"
commit: "92d8412"
git-subrepo:
version: "0.4.0"
origin: "???"
commit: "???"
diff --git a/metrics-server/vendor/k8s.io/api/policy/v1beta1/generated.proto b/metrics-server/vendor/k8s.io/api/policy/v1beta1/generated.proto
new file mode 100644
index 0000000..1a14d94
--- /dev/null
+++ b/metrics-server/vendor/k8s.io/api/policy/v1beta1/generated.proto
@@ -0,0 +1,334 @@
+/*
+Copyright The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+
+// This file was autogenerated by go-to-protobuf. Do not edit it manually!
+
+syntax = 'proto2';
+
+package k8s.io.api.policy.v1beta1;
+
+import "k8s.io/api/core/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/generated.proto";
+import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
+import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
+
+// Package-wide variables from generator "generated".
+option go_package = "v1beta1";
+
+// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
+message AllowedFlexVolume {
+ // driver is the name of the Flexvolume driver.
+ optional string driver = 1;
+}
+
+// AllowedHostPath defines the host volume conditions that will be enabled by a policy
+// for pods to use. It requires the path prefix to be defined.
+message AllowedHostPath {
+ // pathPrefix is the path prefix that the host volume must match.
+ // It does not support `*`.
+ // Trailing slashes are trimmed when validating the path prefix with a host path.
+ //
+ // Examples:
+ // `/foo` would allow `/foo`, `/foo/` and `/foo/bar`
+ // `/foo` would not allow `/food` or `/etc/foo`
+ optional string pathPrefix = 1;
+
+ // when set to true, will allow host volumes matching the pathPrefix only if all volume mounts are readOnly.
+ // +optional
+ optional bool readOnly = 2;
+}
+
+// Eviction evicts a pod from its node subject to certain policies and safety constraints.
+// This is a subresource of Pod. A request to cause such an eviction is
+// created by POSTing to .../pods/<pod name>/evictions.
+message Eviction {
+ // ObjectMeta describes the pod that is being evicted.
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+ // DeleteOptions may be provided
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.DeleteOptions deleteOptions = 2;
+}
+
+// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
+message FSGroupStrategyOptions {
+ // rule is the strategy that will dictate what FSGroup is used in the SecurityContext.
+ // +optional
+ optional string rule = 1;
+
+ // ranges are the allowed ranges of fs groups. If you would like to force a single
+ // fs group then supply a single range with the same start and end. Required for MustRunAs.
+ // +optional
+ repeated IDRange ranges = 2;
+}
+
+// HostPortRange defines a range of host ports that will be enabled by a policy
+// for pods to use. It requires both the start and end to be defined.
+message HostPortRange {
+ // min is the start of the range, inclusive.
+ optional int32 min = 1;
+
+ // max is the end of the range, inclusive.
+ optional int32 max = 2;
+}
+
+// IDRange provides a min/max of an allowed range of IDs.
+message IDRange {
+ // min is the start of the range, inclusive.
+ optional int64 min = 1;
+
+ // max is the end of the range, inclusive.
+ optional int64 max = 2;
+}
+
+// PodDisruptionBudget is an object to define the max disruption that can be caused to a collection of pods
+message PodDisruptionBudget {
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+ // Specification of the desired behavior of the PodDisruptionBudget.
+ optional PodDisruptionBudgetSpec spec = 2;
+
+ // Most recently observed status of the PodDisruptionBudget.
+ optional PodDisruptionBudgetStatus status = 3;
+}
+
+// PodDisruptionBudgetList is a collection of PodDisruptionBudgets.
+message PodDisruptionBudgetList {
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+ repeated PodDisruptionBudget items = 2;
+}
+
+// PodDisruptionBudgetSpec is a description of a PodDisruptionBudget.
+message PodDisruptionBudgetSpec {
+ // An eviction is allowed if at least "minAvailable" pods selected by
+ // "selector" will still be available after the eviction, i.e. even in the
+ // absence of the evicted pod. So for example you can prevent all voluntary
+ // evictions by specifying "100%".
+ optional k8s.io.apimachinery.pkg.util.intstr.IntOrString minAvailable = 1;
+
+ // Label query over pods whose evictions are managed by the disruption
+ // budget.
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector selector = 2;
+
+ // An eviction is allowed if at most "maxUnavailable" pods selected by
+ // "selector" are unavailable after the eviction, i.e. even in absence of
+ // the evicted pod. For example, one can prevent all voluntary evictions
+ // by specifying 0. This is a mutually exclusive setting with "minAvailable".
+ optional k8s.io.apimachinery.pkg.util.intstr.IntOrString maxUnavailable = 3;
+}
+
+// PodDisruptionBudgetStatus represents information about the status of a
+// PodDisruptionBudget. Status may trail the actual state of a system.
+message PodDisruptionBudgetStatus {
+ // Most recent generation observed when updating this PDB status. PodDisruptionsAllowed and other
+ // status informatio is valid only if observedGeneration equals to PDB's object generation.
+ // +optional
+ optional int64 observedGeneration = 1;
+
+ // DisruptedPods contains information about pods whose eviction was
+ // processed by the API server eviction subresource handler but has not
+ // yet been observed by the PodDisruptionBudget controller.
+ // A pod will be in this map from the time when the API server processed the
+ // eviction request to the time when the pod is seen by PDB controller
+ // as having been marked for deletion (or after a timeout). The key in the map is the name of the pod
+ // and the value is the time when the API server processed the eviction request. If
+ // the deletion didn't occur and a pod is still there it will be removed from
+ // the list automatically by PodDisruptionBudget controller after some time.
+ // If everything goes smooth this map should be empty for the most of the time.
+ // Large number of entries in the map may indicate problems with pod deletions.
+ map<string, k8s.io.apimachinery.pkg.apis.meta.v1.Time> disruptedPods = 2;
+
+ // Number of pod disruptions that are currently allowed.
+ optional int32 disruptionsAllowed = 3;
+
+ // current number of healthy pods
+ optional int32 currentHealthy = 4;
+
+ // minimum desired number of healthy pods
+ optional int32 desiredHealthy = 5;
+
+ // total number of pods counted by this disruption budget
+ optional int32 expectedPods = 6;
+}
+
+// PodSecurityPolicy governs the ability to make requests that affect the Security Context
+// that will be applied to a pod and container.
+message PodSecurityPolicy {
+ // Standard object's metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ // +optional
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
+
+ // spec defines the policy enforced.
+ // +optional
+ optional PodSecurityPolicySpec spec = 2;
+}
+
+// PodSecurityPolicyList is a list of PodSecurityPolicy objects.
+message PodSecurityPolicyList {
+ // Standard list metadata.
+ // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
+ // +optional
+ optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
+
+ // items is a list of schema objects.
+ repeated PodSecurityPolicy items = 2;
+}
+
+// PodSecurityPolicySpec defines the policy enforced.
+message PodSecurityPolicySpec {
+ // privileged determines if a pod can request to be run as privileged.
+ // +optional
+ optional bool privileged = 1;
+
+ // defaultAddCapabilities is the default set of capabilities that will be added to the container
+ // unless the pod spec specifically drops the capability. You may not list a capability in both
+ // defaultAddCapabilities and requiredDropCapabilities. Capabilities added here are implicitly
+ // allowed, and need not be included in the allowedCapabilities list.
+ // +optional
+ repeated string defaultAddCapabilities = 2;
+
+ // requiredDropCapabilities are the capabilities that will be dropped from the container. These
+ // are required to be dropped and cannot be added.
+ // +optional
+ repeated string requiredDropCapabilities = 3;
+
+ // allowedCapabilities is a list of capabilities that can be requested to add to the container.
+ // Capabilities in this field may be added at the pod author's discretion.
+ // You must not list a capability in both allowedCapabilities and requiredDropCapabilities.
+ // +optional
+ repeated string allowedCapabilities = 4;
+
+ // volumes is a white list of allowed volume plugins. Empty indicates that
+ // no volumes may be used. To allow all volumes you may use '*'.
+ // +optional
+ repeated string volumes = 5;
+
+ // hostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
+ // +optional
+ optional bool hostNetwork = 6;
+
+ // hostPorts determines which host port ranges are allowed to be exposed.
+ // +optional
+ repeated HostPortRange hostPorts = 7;
+
+ // hostPID determines if the policy allows the use of HostPID in the pod spec.
+ // +optional
+ optional bool hostPID = 8;
+
+ // hostIPC determines if the policy allows the use of HostIPC in the pod spec.
+ // +optional
+ optional bool hostIPC = 9;
+
+ // seLinux is the strategy that will dictate the allowable labels that may be set.
+ optional SELinuxStrategyOptions seLinux = 10;
+
+ // runAsUser is the strategy that will dictate the allowable RunAsUser values that may be set.
+ optional RunAsUserStrategyOptions runAsUser = 11;
+
+ // supplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
+ optional SupplementalGroupsStrategyOptions supplementalGroups = 12;
+
+ // fsGroup is the strategy that will dictate what fs group is used by the SecurityContext.
+ optional FSGroupStrategyOptions fsGroup = 13;
+
+ // readOnlyRootFilesystem when set to true will force containers to run with a read only root file
+ // system. If the container specifically requests to run with a non-read only root file system
+ // the PSP should deny the pod.
+ // If set to false the container may run with a read only root file system if it wishes but it
+ // will not be forced to.
+ // +optional
+ optional bool readOnlyRootFilesystem = 14;
+
+ // defaultAllowPrivilegeEscalation controls the default setting for whether a
+ // process can gain more privileges than its parent process.
+ // +optional
+ optional bool defaultAllowPrivilegeEscalation = 15;
+
+ // allowPrivilegeEscalation determines if a pod can request to allow
+ // privilege escalation. If unspecified, defaults to true.
+ // +optional
+ optional bool allowPrivilegeEscalation = 16;
+
+ // allowedHostPaths is a white list of allowed host paths. Empty indicates
+ // that all host paths may be used.
+ // +optional
+ repeated AllowedHostPath allowedHostPaths = 17;
+
+ // allowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
+ // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
+ // is allowed in the "volumes" field.
+ // +optional
+ repeated AllowedFlexVolume allowedFlexVolumes = 18;
+
+ // allowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
+ // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
+ //
+ // Examples:
+ // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string allowedUnsafeSysctls = 19;
+
+ // forbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
+ // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
+ // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
+ //
+ // Examples:
+ // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
+ // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
+ // +optional
+ repeated string forbiddenSysctls = 20;
+}
+
+// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
+message RunAsUserStrategyOptions {
+ // rule is the strategy that will dictate the allowable RunAsUser values that may be set.
+ optional string rule = 1;
+
+ // ranges are the allowed ranges of uids that may be used. If you would like to force a single uid
+ // then supply a single range with the same start and end. Required for MustRunAs.
+ // +optional
+ repeated IDRange ranges = 2;
+}
+
+// SELinuxStrategyOptions defines the strategy type and any options used to create the strategy.
+message SELinuxStrategyOptions {
+ // rule is the strategy that will dictate the allowable labels that may be set.
+ optional string rule = 1;
+
+ // seLinuxOptions required to run as; required for MustRunAs
+ // More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ // +optional
+ optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
+}
+
+// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
+message SupplementalGroupsStrategyOptions {
+ // rule is the strategy that will dictate what supplemental groups is used in the SecurityContext.
+ // +optional
+ optional string rule = 1;
+
+ // ranges are the allowed ranges of supplemental groups. If you would like to force a single
+ // supplemental group then supply a single range with the same start and end. Required for MustRunAs.
+ // +optional
+ repeated IDRange ranges = 2;
+}
+