1
2// This file was autogenerated by go-to-protobuf. Do not edit it manually!
3
4syntax = "proto2";
5
6package github.com.openshift.api.security.v1;
7
8import "k8s.io/api/core/v1/generated.proto";
9import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
10import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
11
12// Package-wide variables from generator "generated".
13option go_package = "github.com/openshift/api/security/v1";
14
15// AllowedFlexVolume represents a single Flexvolume that is allowed to be used.
16message AllowedFlexVolume {
17 // Driver is the name of the Flexvolume driver.
18 optional string driver = 1;
19}
20
21// FSGroupStrategyOptions defines the strategy type and options used to create the strategy.
22message FSGroupStrategyOptions {
23 // Type is the strategy that will dictate what FSGroup is used in the SecurityContext.
24 optional string type = 1;
25
26 // Ranges are the allowed ranges of fs groups. If you would like to force a single
27 // fs group then supply a single range with the same start and end.
28 repeated IDRange ranges = 2;
29}
30
31// IDRange provides a min/max of an allowed range of IDs.
32// TODO: this could be reused for UIDs.
33message IDRange {
34 // Min is the start of the range, inclusive.
35 optional int64 min = 1;
36
37 // Max is the end of the range, inclusive.
38 optional int64 max = 2;
39}
40
41// PodSecurityPolicyReview checks which service accounts (not users, since that would be cluster-wide) can create the `PodTemplateSpec` in question.
42//
43// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
44// +openshift:compatibility-gen:level=2
45message PodSecurityPolicyReview {
46 // spec is the PodSecurityPolicy to check.
47 optional PodSecurityPolicyReviewSpec spec = 1;
48
49 // status represents the current information/status for the PodSecurityPolicyReview.
50 optional PodSecurityPolicyReviewStatus status = 2;
51}
52
53// PodSecurityPolicyReviewSpec defines specification for PodSecurityPolicyReview
54message PodSecurityPolicyReviewSpec {
55 // template is the PodTemplateSpec to check. The template.spec.serviceAccountName field is used
56 // if serviceAccountNames is empty, unless the template.spec.serviceAccountName is empty,
57 // in which case "default" is used.
58 // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
59 optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
60
61 // serviceAccountNames is an optional set of ServiceAccounts to run the check with.
62 // If serviceAccountNames is empty, the template.spec.serviceAccountName is used,
63 // unless it's empty, in which case "default" is used instead.
64 // If serviceAccountNames is specified, template.spec.serviceAccountName is ignored.
65 repeated string serviceAccountNames = 2;
66}
67
68// PodSecurityPolicyReviewStatus represents the status of PodSecurityPolicyReview.
69message PodSecurityPolicyReviewStatus {
70 // allowedServiceAccounts returns the list of service accounts in *this* namespace that have the power to create the PodTemplateSpec.
71 repeated ServiceAccountPodSecurityPolicyReviewStatus allowedServiceAccounts = 1;
72}
73
74// PodSecurityPolicySelfSubjectReview checks whether this user/SA tuple can create the PodTemplateSpec
75//
76// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
77// +openshift:compatibility-gen:level=2
78message PodSecurityPolicySelfSubjectReview {
79 // spec defines specification the PodSecurityPolicySelfSubjectReview.
80 optional PodSecurityPolicySelfSubjectReviewSpec spec = 1;
81
82 // status represents the current information/status for the PodSecurityPolicySelfSubjectReview.
83 optional PodSecurityPolicySubjectReviewStatus status = 2;
84}
85
86// PodSecurityPolicySelfSubjectReviewSpec contains specification for PodSecurityPolicySelfSubjectReview.
87message PodSecurityPolicySelfSubjectReviewSpec {
88 // template is the PodTemplateSpec to check.
89 optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
90}
91
92// PodSecurityPolicySubjectReview checks whether a particular user/SA tuple can create the PodTemplateSpec.
93//
94// Compatibility level 2: Stable within a major release for a minimum of 9 months or 3 minor releases (whichever is longer).
95// +openshift:compatibility-gen:level=2
96message PodSecurityPolicySubjectReview {
97 // spec defines specification for the PodSecurityPolicySubjectReview.
98 optional PodSecurityPolicySubjectReviewSpec spec = 1;
99
100 // status represents the current information/status for the PodSecurityPolicySubjectReview.
101 optional PodSecurityPolicySubjectReviewStatus status = 2;
102}
103
104// PodSecurityPolicySubjectReviewSpec defines specification for PodSecurityPolicySubjectReview
105message PodSecurityPolicySubjectReviewSpec {
106 // template is the PodTemplateSpec to check. If template.spec.serviceAccountName is empty it will not be defaulted.
107 // If its non-empty, it will be checked.
108 optional k8s.io.api.core.v1.PodTemplateSpec template = 1;
109
110 // user is the user you're testing for.
111 // If you specify "user" but not "group", then is it interpreted as "What if user were not a member of any groups.
112 // If user and groups are empty, then the check is performed using *only* the serviceAccountName in the template.
113 optional string user = 2;
114
115 // groups is the groups you're testing for.
116 repeated string groups = 3;
117}
118
119// PodSecurityPolicySubjectReviewStatus contains information/status for PodSecurityPolicySubjectReview.
120message PodSecurityPolicySubjectReviewStatus {
121 // allowedBy is a reference to the rule that allows the PodTemplateSpec.
122 // A rule can be a SecurityContextConstraint or a PodSecurityPolicy
123 // A `nil`, indicates that it was denied.
124 optional k8s.io.api.core.v1.ObjectReference allowedBy = 1;
125
126 // A machine-readable description of why this operation is in the
127 // "Failure" status. If this value is empty there
128 // is no information available.
129 optional string reason = 2;
130
131 // template is the PodTemplateSpec after the defaulting is applied.
132 optional k8s.io.api.core.v1.PodTemplateSpec template = 3;
133}
134
135// RangeAllocation is used so we can easily expose a RangeAllocation typed for security group
136//
137// Compatibility level 4: No compatibility is provided, the API can change at any point for any reason. These capabilities should not be used by applications needing long term support.
138// +openshift:compatibility-gen:level=4
139message RangeAllocation {
140 // metadata is the standard object's metadata.
141 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
142 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
143
144 // range is a string representing a unique label for a range of uids, "1000000000-2000000000/10000".
145 optional string range = 2;
146
147 // data is a byte array representing the serialized state of a range allocation. It is a bitmap
148 // with each bit set to one to represent a range is taken.
149 optional bytes data = 3;
150}
151
152// RangeAllocationList is a list of RangeAllocations objects
153//
154// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
155// +openshift:compatibility-gen:level=1
156message RangeAllocationList {
157 // metadata is the standard list's metadata.
158 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
159 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
160
161 // List of RangeAllocations.
162 repeated RangeAllocation items = 2;
163}
164
165// RunAsUserStrategyOptions defines the strategy type and any options used to create the strategy.
166message RunAsUserStrategyOptions {
167 // Type is the strategy that will dictate what RunAsUser is used in the SecurityContext.
168 optional string type = 1;
169
170 // UID is the user id that containers must run as. Required for the MustRunAs strategy if not using
171 // namespace/service account allocated uids.
172 optional int64 uid = 2;
173
174 // UIDRangeMin defines the min value for a strategy that allocates by range.
175 optional int64 uidRangeMin = 3;
176
177 // UIDRangeMax defines the max value for a strategy that allocates by range.
178 optional int64 uidRangeMax = 4;
179}
180
181// SELinuxContextStrategyOptions defines the strategy type and any options used to create the strategy.
182message SELinuxContextStrategyOptions {
183 // Type is the strategy that will dictate what SELinux context is used in the SecurityContext.
184 optional string type = 1;
185
186 // seLinuxOptions required to run as; required for MustRunAs
187 optional k8s.io.api.core.v1.SELinuxOptions seLinuxOptions = 2;
188}
189
190// SecurityContextConstraints governs the ability to make requests that affect the SecurityContext
191// that will be applied to a container.
192// For historical reasons SCC was exposed under the core Kubernetes API group.
193// That exposure is deprecated and will be removed in a future release - users
194// should instead use the security.openshift.io group to manage
195// SecurityContextConstraints.
196//
197// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
198// +kubebuilder:printcolumn:name="Priv",type=string,JSONPath=`.allowPrivilegedContainer`,description="Determines if a container can request to be run as privileged"
199// +kubebuilder:printcolumn:name="Caps",type=string,JSONPath=`.allowedCapabilities`,description="A list of capabilities that can be requested to add to the container"
200// +kubebuilder:printcolumn:name="SELinux",type=string,JSONPath=`.seLinuxContext.type`,description="Strategy that will dictate what labels will be set in the SecurityContext"
201// +kubebuilder:printcolumn:name="RunAsUser",type=string,JSONPath=`.runAsUser.type`,description="Strategy that will dictate what RunAsUser is used in the SecurityContext"
202// +kubebuilder:printcolumn:name="FSGroup",type=string,JSONPath=`.fsGroup.type`,description="Strategy that will dictate what fs group is used by the SecurityContext"
203// +kubebuilder:printcolumn:name="SupGroup",type=string,JSONPath=`.supplementalGroups.type`,description="Strategy that will dictate what supplemental groups are used by the SecurityContext"
204// +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=`.priority`,description="Sort order of SCCs"
205// +kubebuilder:printcolumn:name="ReadOnlyRootFS",type=string,JSONPath=`.readOnlyRootFilesystem`,description="Force containers to run with a read only root file system"
206// +kubebuilder:printcolumn:name="Volumes",type=string,JSONPath=`.volumes`,description="White list of allowed volume plugins"
207// +kubebuilder:singular=securitycontextconstraint
208// +openshift:compatibility-gen:level=1
209message SecurityContextConstraints {
210 // metadata is the standard object's metadata.
211 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
212 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
213
214 // Priority influences the sort order of SCCs when evaluating which SCCs to try first for
215 // a given pod request based on access in the Users and Groups fields. The higher the int, the
216 // higher priority. An unset value is considered a 0 priority. If scores
217 // for multiple SCCs are equal they will be sorted from most restrictive to
218 // least restrictive. If both priorities and restrictions are equal the
219 // SCCs will be sorted by name.
220 // +nullable
221 optional int32 priority = 2;
222
223 // AllowPrivilegedContainer determines if a container can request to be run as privileged.
224 optional bool allowPrivilegedContainer = 3;
225
226 // DefaultAddCapabilities is the default set of capabilities that will be added to the container
227 // unless the pod spec specifically drops the capability. You may not list a capabiility in both
228 // DefaultAddCapabilities and RequiredDropCapabilities.
229 // +nullable
230 repeated string defaultAddCapabilities = 4;
231
232 // RequiredDropCapabilities are the capabilities that will be dropped from the container. These
233 // are required to be dropped and cannot be added.
234 // +nullable
235 repeated string requiredDropCapabilities = 5;
236
237 // AllowedCapabilities is a list of capabilities that can be requested to add to the container.
238 // Capabilities in this field maybe added at the pod author's discretion.
239 // You must not list a capability in both AllowedCapabilities and RequiredDropCapabilities.
240 // To allow all capabilities you may use '*'.
241 // +nullable
242 repeated string allowedCapabilities = 6;
243
244 // AllowHostDirVolumePlugin determines if the policy allow containers to use the HostDir volume plugin
245 // +k8s:conversion-gen=false
246 optional bool allowHostDirVolumePlugin = 7;
247
248 // Volumes is a white list of allowed volume plugins. FSType corresponds directly with the field names
249 // of a VolumeSource (azureFile, configMap, emptyDir). To allow all volumes you may use "*".
250 // To allow no volumes, set to ["none"].
251 // +nullable
252 repeated string volumes = 8;
253
254 // AllowedFlexVolumes is a whitelist of allowed Flexvolumes. Empty or nil indicates that all
255 // Flexvolumes may be used. This parameter is effective only when the usage of the Flexvolumes
256 // is allowed in the "Volumes" field.
257 // +optional
258 // +nullable
259 repeated AllowedFlexVolume allowedFlexVolumes = 21;
260
261 // AllowHostNetwork determines if the policy allows the use of HostNetwork in the pod spec.
262 optional bool allowHostNetwork = 9;
263
264 // AllowHostPorts determines if the policy allows host ports in the containers.
265 optional bool allowHostPorts = 10;
266
267 // AllowHostPID determines if the policy allows host pid in the containers.
268 optional bool allowHostPID = 11;
269
270 // AllowHostIPC determines if the policy allows host ipc in the containers.
271 optional bool allowHostIPC = 12;
272
273 // DefaultAllowPrivilegeEscalation controls the default setting for whether a
274 // process can gain more privileges than its parent process.
275 // +optional
276 // +nullable
277 optional bool defaultAllowPrivilegeEscalation = 22;
278
279 // AllowPrivilegeEscalation determines if a pod can request to allow
280 // privilege escalation. If unspecified, defaults to true.
281 // +optional
282 // +nullable
283 optional bool allowPrivilegeEscalation = 23;
284
285 // SELinuxContext is the strategy that will dictate what labels will be set in the SecurityContext.
286 // +nullable
287 optional SELinuxContextStrategyOptions seLinuxContext = 13;
288
289 // RunAsUser is the strategy that will dictate what RunAsUser is used in the SecurityContext.
290 // +nullable
291 optional RunAsUserStrategyOptions runAsUser = 14;
292
293 // SupplementalGroups is the strategy that will dictate what supplemental groups are used by the SecurityContext.
294 // +nullable
295 optional SupplementalGroupsStrategyOptions supplementalGroups = 15;
296
297 // FSGroup is the strategy that will dictate what fs group is used by the SecurityContext.
298 // +nullable
299 optional FSGroupStrategyOptions fsGroup = 16;
300
301 // ReadOnlyRootFilesystem when set to true will force containers to run with a read only root file
302 // system. If the container specifically requests to run with a non-read only root file system
303 // the SCC should deny the pod.
304 // If set to false the container may run with a read only root file system if it wishes but it
305 // will not be forced to.
306 optional bool readOnlyRootFilesystem = 17;
307
308 // The users who have permissions to use this security context constraints
309 // +optional
310 // +nullable
311 repeated string users = 18;
312
313 // The groups that have permission to use this security context constraints
314 // +optional
315 // +nullable
316 repeated string groups = 19;
317
318 // SeccompProfiles lists the allowed profiles that may be set for the pod or
319 // container's seccomp annotations. An unset (nil) or empty value means that no profiles may
320 // be specifid by the pod or container. The wildcard '*' may be used to allow all profiles. When
321 // used to generate a value for a pod the first non-wildcard profile will be used as
322 // the default.
323 // +nullable
324 repeated string seccompProfiles = 20;
325
326 // AllowedUnsafeSysctls is a list of explicitly allowed unsafe sysctls, defaults to none.
327 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
328 // as a prefix of allowed sysctls. Single * means all unsafe sysctls are allowed.
329 // Kubelet has to whitelist all allowed unsafe sysctls explicitly to avoid rejection.
330 //
331 // Examples:
332 // e.g. "foo/*" allows "foo/bar", "foo/baz", etc.
333 // e.g. "foo.*" allows "foo.bar", "foo.baz", etc.
334 // +optional
335 // +nullable
336 repeated string allowedUnsafeSysctls = 24;
337
338 // ForbiddenSysctls is a list of explicitly forbidden sysctls, defaults to none.
339 // Each entry is either a plain sysctl name or ends in "*" in which case it is considered
340 // as a prefix of forbidden sysctls. Single * means all sysctls are forbidden.
341 //
342 // Examples:
343 // e.g. "foo/*" forbids "foo/bar", "foo/baz", etc.
344 // e.g. "foo.*" forbids "foo.bar", "foo.baz", etc.
345 // +optional
346 // +nullable
347 repeated string forbiddenSysctls = 25;
348}
349
350// SecurityContextConstraintsList is a list of SecurityContextConstraints objects
351//
352// Compatibility level 1: Stable within a major release for a minimum of 12 months or 3 minor releases (whichever is longer).
353// +openshift:compatibility-gen:level=1
354message SecurityContextConstraintsList {
355 // metadata is the standard list's metadata.
356 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
357 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
358
359 // List of security context constraints.
360 repeated SecurityContextConstraints items = 2;
361}
362
363// ServiceAccountPodSecurityPolicyReviewStatus represents ServiceAccount name and related review status
364message ServiceAccountPodSecurityPolicyReviewStatus {
365 optional PodSecurityPolicySubjectReviewStatus podSecurityPolicySubjectReviewStatus = 1;
366
367 // name contains the allowed and the denied ServiceAccount name
368 optional string name = 2;
369}
370
371// SupplementalGroupsStrategyOptions defines the strategy type and options used to create the strategy.
372message SupplementalGroupsStrategyOptions {
373 // Type is the strategy that will dictate what supplemental groups is used in the SecurityContext.
374 optional string type = 1;
375
376 // Ranges are the allowed ranges of supplemental groups. If you would like to force a single
377 // supplemental group then supply a single range with the same start and end.
378 repeated IDRange ranges = 2;
379}
380
View as plain text