blob: 118be06f8369ea044a28d6ad3577a3e161b73ec7 [file] [log] [blame]
Matthias Andreas Benkard832a54e2019-01-29 09:27:38 +01001/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = 'proto2';
21
22package k8s.io.api.admissionregistration.v1beta1;
23
24import "k8s.io/api/core/v1/generated.proto";
25import "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1/generated.proto";
26import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
27import "k8s.io/apimachinery/pkg/runtime/generated.proto";
28import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
29import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
30
31// Package-wide variables from generator "generated".
32option go_package = "v1beta1";
33
34// MutatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and may change the object.
35message MutatingWebhookConfiguration {
36 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
37 // +optional
38 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
39
40 // Webhooks is a list of webhooks and the affected resources and operations.
41 // +optional
42 // +patchMergeKey=name
43 // +patchStrategy=merge
44 repeated Webhook Webhooks = 2;
45}
46
47// MutatingWebhookConfigurationList is a list of MutatingWebhookConfiguration.
48message MutatingWebhookConfigurationList {
49 // Standard list metadata.
50 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
51 // +optional
52 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
53
54 // List of MutatingWebhookConfiguration.
55 repeated MutatingWebhookConfiguration items = 2;
56}
57
58// Rule is a tuple of APIGroups, APIVersion, and Resources.It is recommended
59// to make sure that all the tuple expansions are valid.
60message Rule {
61 // APIGroups is the API groups the resources belong to. '*' is all groups.
62 // If '*' is present, the length of the slice must be one.
63 // Required.
64 repeated string apiGroups = 1;
65
66 // APIVersions is the API versions the resources belong to. '*' is all versions.
67 // If '*' is present, the length of the slice must be one.
68 // Required.
69 repeated string apiVersions = 2;
70
71 // Resources is a list of resources this rule applies to.
72 //
73 // For example:
74 // 'pods' means pods.
75 // 'pods/log' means the log subresource of pods.
76 // '*' means all resources, but not subresources.
77 // 'pods/*' means all subresources of pods.
78 // '*/scale' means all scale subresources.
79 // '*/*' means all resources and their subresources.
80 //
81 // If wildcard is present, the validation rule will ensure resources do not
82 // overlap with each other.
83 //
84 // Depending on the enclosing object, subresources might not be allowed.
85 // Required.
86 repeated string resources = 3;
87}
88
89// RuleWithOperations is a tuple of Operations and Resources. It is recommended to make
90// sure that all the tuple expansions are valid.
91message RuleWithOperations {
92 // Operations is the operations the admission hook cares about - CREATE, UPDATE, or *
93 // for all operations.
94 // If '*' is present, the length of the slice must be one.
95 // Required.
96 repeated string operations = 1;
97
98 // Rule is embedded, it describes other criteria of the rule, like
99 // APIGroups, APIVersions, Resources, etc.
100 optional Rule rule = 2;
101}
102
103// ServiceReference holds a reference to Service.legacy.k8s.io
104message ServiceReference {
105 // `namespace` is the namespace of the service.
106 // Required
107 optional string namespace = 1;
108
109 // `name` is the name of the service.
110 // Required
111 optional string name = 2;
112
113 // `path` is an optional URL path which will be sent in any request to
114 // this service.
115 // +optional
116 optional string path = 3;
117}
118
119// ValidatingWebhookConfiguration describes the configuration of and admission webhook that accept or reject and object without changing it.
120message ValidatingWebhookConfiguration {
121 // Standard object metadata; More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata.
122 // +optional
123 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
124
125 // Webhooks is a list of webhooks and the affected resources and operations.
126 // +optional
127 // +patchMergeKey=name
128 // +patchStrategy=merge
129 repeated Webhook Webhooks = 2;
130}
131
132// ValidatingWebhookConfigurationList is a list of ValidatingWebhookConfiguration.
133message ValidatingWebhookConfigurationList {
134 // Standard list metadata.
135 // More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds
136 // +optional
137 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
138
139 // List of ValidatingWebhookConfiguration.
140 repeated ValidatingWebhookConfiguration items = 2;
141}
142
143// Webhook describes an admission webhook and the resources and operations it applies to.
144message Webhook {
145 // The name of the admission webhook.
146 // Name should be fully qualified, e.g., imagepolicy.kubernetes.io, where
147 // "imagepolicy" is the name of the webhook, and kubernetes.io is the name
148 // of the organization.
149 // Required.
150 optional string name = 1;
151
152 // ClientConfig defines how to communicate with the hook.
153 // Required
154 optional WebhookClientConfig clientConfig = 2;
155
156 // Rules describes what operations on what resources/subresources the webhook cares about.
157 // The webhook cares about an operation if it matches _any_ Rule.
158 // However, in order to prevent ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks
159 // from putting the cluster in a state which cannot be recovered from without completely
160 // disabling the plugin, ValidatingAdmissionWebhooks and MutatingAdmissionWebhooks are never called
161 // on admission requests for ValidatingWebhookConfiguration and MutatingWebhookConfiguration objects.
162 repeated RuleWithOperations rules = 3;
163
164 // FailurePolicy defines how unrecognized errors from the admission endpoint are handled -
165 // allowed values are Ignore or Fail. Defaults to Ignore.
166 // +optional
167 optional string failurePolicy = 4;
168
169 // NamespaceSelector decides whether to run the webhook on an object based
170 // on whether the namespace for that object matches the selector. If the
171 // object itself is a namespace, the matching is performed on
172 // object.metadata.labels. If the object is another cluster scoped resource,
173 // it never skips the webhook.
174 //
175 // For example, to run the webhook on any objects whose namespace is not
176 // associated with "runlevel" of "0" or "1"; you will set the selector as
177 // follows:
178 // "namespaceSelector": {
179 // "matchExpressions": [
180 // {
181 // "key": "runlevel",
182 // "operator": "NotIn",
183 // "values": [
184 // "0",
185 // "1"
186 // ]
187 // }
188 // ]
189 // }
190 //
191 // If instead you want to only run the webhook on any objects whose
192 // namespace is associated with the "environment" of "prod" or "staging";
193 // you will set the selector as follows:
194 // "namespaceSelector": {
195 // "matchExpressions": [
196 // {
197 // "key": "environment",
198 // "operator": "In",
199 // "values": [
200 // "prod",
201 // "staging"
202 // ]
203 // }
204 // ]
205 // }
206 //
207 // See
208 // https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
209 // for more examples of label selectors.
210 //
211 // Default to the empty LabelSelector, which matches everything.
212 // +optional
213 optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 5;
214}
215
216// WebhookClientConfig contains the information to make a TLS
217// connection with the webhook
218message WebhookClientConfig {
219 // `url` gives the location of the webhook, in standard URL form
220 // (`[scheme://]host:port/path`). Exactly one of `url` or `service`
221 // must be specified.
222 //
223 // The `host` should not refer to a service running in the cluster; use
224 // the `service` field instead. The host might be resolved via external
225 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
226 // in-cluster DNS as that would be a layering violation). `host` may
227 // also be an IP address.
228 //
229 // Please note that using `localhost` or `127.0.0.1` as a `host` is
230 // risky unless you take great care to run this webhook on all hosts
231 // which run an apiserver which might need to make calls to this
232 // webhook. Such installs are likely to be non-portable, i.e., not easy
233 // to turn up in a new cluster.
234 //
235 // The scheme must be "https"; the URL must begin with "https://".
236 //
237 // A path is optional, and if present may be any string permissible in
238 // a URL. You may use the path to pass an arbitrary string to the
239 // webhook, for example, a cluster identifier.
240 //
241 // Attempting to use a user or basic auth e.g. "user:password@" is not
242 // allowed. Fragments ("#...") and query parameters ("?...") are not
243 // allowed, either.
244 //
245 // +optional
246 optional string url = 3;
247
248 // `service` is a reference to the service for this webhook. Either
249 // `service` or `url` must be specified.
250 //
251 // If the webhook is running within the cluster, then you should use `service`.
252 //
253 // Port 443 will be used if it is open, otherwise it is an error.
254 //
255 // +optional
256 optional ServiceReference service = 1;
257
258 // `caBundle` is a PEM encoded CA bundle which will be used to validate
259 // the webhook's server certificate.
260 // Required.
261 optional bytes caBundle = 2;
262}
263