1 /* 2 Copyright 2023 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha1 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // +genclient 24 // +genclient:nonNamespaced 25 // +k8s:prerelease-lifecycle-gen:introduced=1.26 26 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 27 28 // ClusterTrustBundle is a cluster-scoped container for X.509 trust anchors 29 // (root certificates). 30 // 31 // ClusterTrustBundle objects are considered to be readable by any authenticated 32 // user in the cluster, because they can be mounted by pods using the 33 // `clusterTrustBundle` projection. All service accounts have read access to 34 // ClusterTrustBundles by default. Users who only have namespace-level access 35 // to a cluster can read ClusterTrustBundles by impersonating a serviceaccount 36 // that they have access to. 37 // 38 // It can be optionally associated with a particular assigner, in which case it 39 // contains one valid set of trust anchors for that signer. Signers may have 40 // multiple associated ClusterTrustBundles; each is an independent set of trust 41 // anchors for that signer. Admission control is used to enforce that only users 42 // with permissions on the signer can create or modify the corresponding bundle. 43 type ClusterTrustBundle struct { 44 metav1.TypeMeta `json:",inline"` 45 46 // metadata contains the object metadata. 47 // +optional 48 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 49 50 // spec contains the signer (if any) and trust anchors. 51 Spec ClusterTrustBundleSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` 52 } 53 54 // ClusterTrustBundleSpec contains the signer and trust anchors. 55 type ClusterTrustBundleSpec struct { 56 // signerName indicates the associated signer, if any. 57 // 58 // In order to create or update a ClusterTrustBundle that sets signerName, 59 // you must have the following cluster-scoped permission: 60 // group=certificates.k8s.io resource=signers resourceName=<the signer name> 61 // verb=attest. 62 // 63 // If signerName is not empty, then the ClusterTrustBundle object must be 64 // named with the signer name as a prefix (translating slashes to colons). 65 // For example, for the signer name `example.com/foo`, valid 66 // ClusterTrustBundle object names include `example.com:foo:abc` and 67 // `example.com:foo:v1`. 68 // 69 // If signerName is empty, then the ClusterTrustBundle object's name must 70 // not have such a prefix. 71 // 72 // List/watch requests for ClusterTrustBundles can filter on this field 73 // using a `spec.signerName=NAME` field selector. 74 // 75 // +optional 76 SignerName string `json:"signerName,omitempty" protobuf:"bytes,1,opt,name=signerName"` 77 78 // trustBundle contains the individual X.509 trust anchors for this 79 // bundle, as PEM bundle of PEM-wrapped, DER-formatted X.509 certificates. 80 // 81 // The data must consist only of PEM certificate blocks that parse as valid 82 // X.509 certificates. Each certificate must include a basic constraints 83 // extension with the CA bit set. The API server will reject objects that 84 // contain duplicate certificates, or that use PEM block headers. 85 // 86 // Users of ClusterTrustBundles, including Kubelet, are free to reorder and 87 // deduplicate certificate blocks in this file according to their own logic, 88 // as well as to drop PEM block headers and inter-block data. 89 TrustBundle string `json:"trustBundle" protobuf:"bytes,2,opt,name=trustBundle"` 90 } 91 92 // +k8s:prerelease-lifecycle-gen:introduced=1.26 93 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 94 95 // ClusterTrustBundleList is a collection of ClusterTrustBundle objects 96 type ClusterTrustBundleList struct { 97 metav1.TypeMeta `json:",inline"` 98 99 // metadata contains the list metadata. 100 // 101 // +optional 102 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 103 104 // items is a collection of ClusterTrustBundle objects 105 Items []ClusterTrustBundle `json:"items" protobuf:"bytes,2,rep,name=items"` 106 } 107