1 /* 2 Copyright 2016 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1alpha1 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // +genclient 24 // +genclient:nonNamespaced 25 // +genclient:noVerbs 26 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 27 28 // ImageReview checks if the set of images in a pod are allowed. 29 type ImageReview struct { 30 metav1.TypeMeta `json:",inline"` 31 // Standard object's metadata. 32 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 33 // +optional 34 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 35 36 // Spec holds information about the pod being evaluated 37 Spec ImageReviewSpec `json:"spec" protobuf:"bytes,2,opt,name=spec"` 38 39 // Status is filled in by the backend and indicates whether the pod should be allowed. 40 // +optional 41 Status ImageReviewStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 42 } 43 44 // ImageReviewSpec is a description of the pod creation request. 45 type ImageReviewSpec struct { 46 // Containers is a list of a subset of the information in each container of the Pod being created. 47 // +optional 48 // +listType=atomic 49 Containers []ImageReviewContainerSpec `json:"containers,omitempty" protobuf:"bytes,1,rep,name=containers"` 50 // Annotations is a list of key-value pairs extracted from the Pod's annotations. 51 // It only includes keys which match the pattern `*.image-policy.k8s.io/*`. 52 // It is up to each webhook backend to determine how to interpret these annotations, if at all. 53 // +optional 54 Annotations map[string]string `json:"annotations,omitempty" protobuf:"bytes,2,rep,name=annotations"` 55 // Namespace is the namespace the pod is being created in. 56 // +optional 57 Namespace string `json:"namespace,omitempty" protobuf:"bytes,3,opt,name=namespace"` 58 } 59 60 // ImageReviewContainerSpec is a description of a container within the pod creation request. 61 type ImageReviewContainerSpec struct { 62 // This can be in the form image:tag or image@SHA:012345679abcdef. 63 // +optional 64 Image string `json:"image,omitempty" protobuf:"bytes,1,opt,name=image"` 65 // In future, we may add command line overrides, exec health check command lines, and so on. 66 } 67 68 // ImageReviewStatus is the result of the review for the pod creation request. 69 type ImageReviewStatus struct { 70 // Allowed indicates that all images were allowed to be run. 71 Allowed bool `json:"allowed" protobuf:"varint,1,opt,name=allowed"` 72 // Reason should be empty unless Allowed is false in which case it 73 // may contain a short description of what is wrong. Kubernetes 74 // may truncate excessively long errors when displaying to the user. 75 // +optional 76 Reason string `json:"reason,omitempty" protobuf:"bytes,2,opt,name=reason"` 77 // AuditAnnotations will be added to the attributes object of the 78 // admission controller request using 'AddAnnotation'. The keys should 79 // be prefix-less (i.e., the admission controller will add an 80 // appropriate prefix). 81 // +optional 82 AuditAnnotations map[string]string `json:"auditAnnotations,omitempty" protobuf:"bytes,3,rep,name=auditAnnotations"` 83 } 84