1/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = "proto2";
21
22package k8s.io.api.authentication.v1beta1;
23
24import "k8s.io/api/authentication/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/generated.proto";
27import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
28
29// Package-wide variables from generator "generated".
30option go_package = "k8s.io/api/authentication/v1beta1";
31
32// ExtraValue masks the value so protobuf can generate
33// +protobuf.nullable=true
34// +protobuf.options.(gogoproto.goproto_stringer)=false
35message ExtraValue {
36 // items, if empty, will result in an empty slice
37
38 repeated string items = 1;
39}
40
41// SelfSubjectReview contains the user information that the kube-apiserver has about the user making this request.
42// When using impersonation, users will receive the user info of the user being impersonated. If impersonation or
43// request header authentication is used, any extra keys will have their case ignored and returned as lowercase.
44message SelfSubjectReview {
45 // Standard object's metadata.
46 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
47 // +optional
48 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
49
50 // Status is filled in by the server with the user attributes.
51 optional SelfSubjectReviewStatus status = 2;
52}
53
54// SelfSubjectReviewStatus is filled by the kube-apiserver and sent back to a user.
55message SelfSubjectReviewStatus {
56 // User attributes of the user making this request.
57 // +optional
58 optional k8s.io.api.authentication.v1.UserInfo userInfo = 1;
59}
60
61// TokenReview attempts to authenticate a token to a known user.
62// Note: TokenReview requests may be cached by the webhook token authenticator
63// plugin in the kube-apiserver.
64message TokenReview {
65 // Standard object's metadata.
66 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
67 // +optional
68 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
69
70 // Spec holds information about the request being evaluated
71 optional TokenReviewSpec spec = 2;
72
73 // Status is filled in by the server and indicates whether the token can be authenticated.
74 // +optional
75 optional TokenReviewStatus status = 3;
76}
77
78// TokenReviewSpec is a description of the token authentication request.
79message TokenReviewSpec {
80 // Token is the opaque bearer token.
81 // +optional
82 optional string token = 1;
83
84 // Audiences is a list of the identifiers that the resource server presented
85 // with the token identifies as. Audience-aware token authenticators will
86 // verify that the token was intended for at least one of the audiences in
87 // this list. If no audiences are provided, the audience will default to the
88 // audience of the Kubernetes apiserver.
89 // +optional
90 // +listType=atomic
91 repeated string audiences = 2;
92}
93
94// TokenReviewStatus is the result of the token authentication request.
95message TokenReviewStatus {
96 // Authenticated indicates that the token was associated with a known user.
97 // +optional
98 optional bool authenticated = 1;
99
100 // User is the UserInfo associated with the provided token.
101 // +optional
102 optional UserInfo user = 2;
103
104 // Audiences are audience identifiers chosen by the authenticator that are
105 // compatible with both the TokenReview and token. An identifier is any
106 // identifier in the intersection of the TokenReviewSpec audiences and the
107 // token's audiences. A client of the TokenReview API that sets the
108 // spec.audiences field should validate that a compatible audience identifier
109 // is returned in the status.audiences field to ensure that the TokenReview
110 // server is audience aware. If a TokenReview returns an empty
111 // status.audience field where status.authenticated is "true", the token is
112 // valid against the audience of the Kubernetes API server.
113 // +optional
114 // +listType=atomic
115 repeated string audiences = 4;
116
117 // Error indicates that the token couldn't be checked
118 // +optional
119 optional string error = 3;
120}
121
122// UserInfo holds the information about the user needed to implement the
123// user.Info interface.
124message UserInfo {
125 // The name that uniquely identifies this user among all active users.
126 // +optional
127 optional string username = 1;
128
129 // A unique value that identifies this user across time. If this user is
130 // deleted and another user by the same name is added, they will have
131 // different UIDs.
132 // +optional
133 optional string uid = 2;
134
135 // The names of groups this user is a part of.
136 // +optional
137 // +listType=atomic
138 repeated string groups = 3;
139
140 // Any additional information provided by the authenticator.
141 // +optional
142 map<string, ExtraValue> extra = 4;
143}
144
View as plain text