1/*
2Copyright The Kubernetes Authors.
3
4Licensed under the Apache License, Version 2.0 (the "License");
5you may not use this file except in compliance with the License.
6You may obtain a copy of the License at
7
8 http://www.apache.org/licenses/LICENSE-2.0
9
10Unless required by applicable law or agreed to in writing, software
11distributed under the License is distributed on an "AS IS" BASIS,
12WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13See the License for the specific language governing permissions and
14limitations under the License.
15*/
16
17
18// This file was autogenerated by go-to-protobuf. Do not edit it manually!
19
20syntax = "proto2";
21
22package k8s.io.apiextensions_apiserver.pkg.apis.apiextensions.v1beta1;
23
24import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
25import "k8s.io/apimachinery/pkg/runtime/generated.proto";
26import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
27
28// Package-wide variables from generator "generated".
29option go_package = "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1beta1";
30
31// ConversionRequest describes the conversion request parameters.
32message ConversionRequest {
33 // uid is an identifier for the individual request/response. It allows distinguishing instances of requests which are
34 // otherwise identical (parallel requests, etc).
35 // The UID is meant to track the round trip (request/response) between the Kubernetes API server and the webhook, not the user request.
36 // It is suitable for correlating log entries between the webhook and apiserver, for either auditing or debugging.
37 optional string uid = 1;
38
39 // desiredAPIVersion is the version to convert given objects to. e.g. "myapi.example.com/v1"
40 optional string desiredAPIVersion = 2;
41
42 // objects is the list of custom resource objects to be converted.
43 // +listType=atomic
44 repeated k8s.io.apimachinery.pkg.runtime.RawExtension objects = 3;
45}
46
47// ConversionResponse describes a conversion response.
48message ConversionResponse {
49 // uid is an identifier for the individual request/response.
50 // This should be copied over from the corresponding `request.uid`.
51 optional string uid = 1;
52
53 // convertedObjects is the list of converted version of `request.objects` if the `result` is successful, otherwise empty.
54 // The webhook is expected to set `apiVersion` of these objects to the `request.desiredAPIVersion`. The list
55 // must also have the same size as the input list with the same objects in the same order (equal kind, metadata.uid, metadata.name and metadata.namespace).
56 // The webhook is allowed to mutate labels and annotations. Any other change to the metadata is silently ignored.
57 // +listType=atomic
58 repeated k8s.io.apimachinery.pkg.runtime.RawExtension convertedObjects = 2;
59
60 // result contains the result of conversion with extra details if the conversion failed. `result.status` determines if
61 // the conversion failed or succeeded. The `result.status` field is required and represents the success or failure of the
62 // conversion. A successful conversion must set `result.status` to `Success`. A failed conversion must set
63 // `result.status` to `Failure` and provide more details in `result.message` and return http status 200. The `result.message`
64 // will be used to construct an error message for the end user.
65 optional k8s.io.apimachinery.pkg.apis.meta.v1.Status result = 3;
66}
67
68// ConversionReview describes a conversion request/response.
69message ConversionReview {
70 // request describes the attributes for the conversion request.
71 // +optional
72 optional ConversionRequest request = 1;
73
74 // response describes the attributes for the conversion response.
75 // +optional
76 optional ConversionResponse response = 2;
77}
78
79// CustomResourceColumnDefinition specifies a column for server side printing.
80message CustomResourceColumnDefinition {
81 // name is a human readable name for the column.
82 optional string name = 1;
83
84 // type is an OpenAPI type definition for this column.
85 // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
86 optional string type = 2;
87
88 // format is an optional OpenAPI type definition for this column. The 'name' format is applied
89 // to the primary identifier column to assist in clients identifying column is the resource name.
90 // See https://github.com/OAI/OpenAPI-Specification/blob/master/versions/2.0.md#data-types for details.
91 // +optional
92 optional string format = 3;
93
94 // description is a human readable description of this column.
95 // +optional
96 optional string description = 4;
97
98 // priority is an integer defining the relative importance of this column compared to others. Lower
99 // numbers are considered higher priority. Columns that may be omitted in limited space scenarios
100 // should be given a priority greater than 0.
101 // +optional
102 optional int32 priority = 5;
103
104 // JSONPath is a simple JSON path (i.e. with array notation) which is evaluated against
105 // each custom resource to produce the value for this column.
106 optional string JSONPath = 6;
107}
108
109// CustomResourceConversion describes how to convert different versions of a CR.
110message CustomResourceConversion {
111 // strategy specifies how custom resources are converted between versions. Allowed values are:
112 // - `None`: The converter only change the apiVersion and would not touch any other field in the custom resource.
113 // - `Webhook`: API Server will call to an external webhook to do the conversion. Additional information
114 // is needed for this option. This requires spec.preserveUnknownFields to be false, and spec.conversion.webhookClientConfig to be set.
115 optional string strategy = 1;
116
117 // webhookClientConfig is the instructions for how to call the webhook if strategy is `Webhook`.
118 // Required when `strategy` is set to `Webhook`.
119 // +optional
120 optional WebhookClientConfig webhookClientConfig = 2;
121
122 // conversionReviewVersions is an ordered list of preferred `ConversionReview`
123 // versions the Webhook expects. The API server will use the first version in
124 // the list which it supports. If none of the versions specified in this list
125 // are supported by API server, conversion will fail for the custom resource.
126 // If a persisted Webhook configuration specifies allowed versions and does not
127 // include any versions known to the API Server, calls to the webhook will fail.
128 // Defaults to `["v1beta1"]`.
129 // +optional
130 // +listType=atomic
131 repeated string conversionReviewVersions = 3;
132}
133
134// CustomResourceDefinition represents a resource that should be exposed on the API server. Its name MUST be in the format
135// <.spec.name>.<.spec.group>.
136// Deprecated in v1.16, planned for removal in v1.22. Use apiextensions.k8s.io/v1 CustomResourceDefinition instead.
137message CustomResourceDefinition {
138 // Standard object's metadata
139 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
140 // +optional
141 optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
142
143 // spec describes how the user wants the resources to appear
144 optional CustomResourceDefinitionSpec spec = 2;
145
146 // status indicates the actual state of the CustomResourceDefinition
147 // +optional
148 optional CustomResourceDefinitionStatus status = 3;
149}
150
151// CustomResourceDefinitionCondition contains details for the current condition of this pod.
152message CustomResourceDefinitionCondition {
153 // type is the type of the condition. Types include Established, NamesAccepted and Terminating.
154 optional string type = 1;
155
156 // status is the status of the condition.
157 // Can be True, False, Unknown.
158 optional string status = 2;
159
160 // lastTransitionTime last time the condition transitioned from one status to another.
161 // +optional
162 optional k8s.io.apimachinery.pkg.apis.meta.v1.Time lastTransitionTime = 3;
163
164 // reason is a unique, one-word, CamelCase reason for the condition's last transition.
165 // +optional
166 optional string reason = 4;
167
168 // message is a human-readable message indicating details about last transition.
169 // +optional
170 optional string message = 5;
171}
172
173// CustomResourceDefinitionList is a list of CustomResourceDefinition objects.
174message CustomResourceDefinitionList {
175 // Standard object's metadata
176 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
177 // +optional
178 optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
179
180 // items list individual CustomResourceDefinition objects
181 repeated CustomResourceDefinition items = 2;
182}
183
184// CustomResourceDefinitionNames indicates the names to serve this CustomResourceDefinition
185message CustomResourceDefinitionNames {
186 // plural is the plural name of the resource to serve.
187 // The custom resources are served under `/apis/<group>/<version>/.../<plural>`.
188 // Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
189 // Must be all lowercase.
190 optional string plural = 1;
191
192 // singular is the singular name of the resource. It must be all lowercase. Defaults to lowercased `kind`.
193 // +optional
194 optional string singular = 2;
195
196 // shortNames are short names for the resource, exposed in API discovery documents,
197 // and used by clients to support invocations like `kubectl get <shortname>`.
198 // It must be all lowercase.
199 // +optional
200 // +listType=atomic
201 repeated string shortNames = 3;
202
203 // kind is the serialized kind of the resource. It is normally CamelCase and singular.
204 // Custom resource instances will use this value as the `kind` attribute in API calls.
205 optional string kind = 4;
206
207 // listKind is the serialized kind of the list for this resource. Defaults to "`kind`List".
208 // +optional
209 optional string listKind = 5;
210
211 // categories is a list of grouped resources this custom resource belongs to (e.g. 'all').
212 // This is published in API discovery documents, and used by clients to support invocations like
213 // `kubectl get all`.
214 // +optional
215 // +listType=atomic
216 repeated string categories = 6;
217}
218
219// CustomResourceDefinitionSpec describes how a user wants their resource to appear
220message CustomResourceDefinitionSpec {
221 // group is the API group of the defined custom resource.
222 // The custom resources are served under `/apis/<group>/...`.
223 // Must match the name of the CustomResourceDefinition (in the form `<names.plural>.<group>`).
224 optional string group = 1;
225
226 // version is the API version of the defined custom resource.
227 // The custom resources are served under `/apis/<group>/<version>/...`.
228 // Must match the name of the first item in the `versions` list if `version` and `versions` are both specified.
229 // Optional if `versions` is specified.
230 // Deprecated: use `versions` instead.
231 // +optional
232 optional string version = 2;
233
234 // names specify the resource and kind names for the custom resource.
235 optional CustomResourceDefinitionNames names = 3;
236
237 // scope indicates whether the defined custom resource is cluster- or namespace-scoped.
238 // Allowed values are `Cluster` and `Namespaced`. Default is `Namespaced`.
239 optional string scope = 4;
240
241 // validation describes the schema used for validation and pruning of the custom resource.
242 // If present, this validation schema is used to validate all versions.
243 // Top-level and per-version schemas are mutually exclusive.
244 // +optional
245 optional CustomResourceValidation validation = 5;
246
247 // subresources specify what subresources the defined custom resource has.
248 // If present, this field configures subresources for all versions.
249 // Top-level and per-version subresources are mutually exclusive.
250 // +optional
251 optional CustomResourceSubresources subresources = 6;
252
253 // versions is the list of all API versions of the defined custom resource.
254 // Optional if `version` is specified.
255 // The name of the first item in the `versions` list must match the `version` field if `version` and `versions` are both specified.
256 // Version names are used to compute the order in which served versions are listed in API discovery.
257 // If the version string is "kube-like", it will sort above non "kube-like" version strings, which are ordered
258 // lexicographically. "Kube-like" versions start with a "v", then are followed by a number (the major version),
259 // then optionally the string "alpha" or "beta" and another number (the minor version). These are sorted first
260 // by GA > beta > alpha (where GA is a version with no suffix such as beta or alpha), and then by comparing
261 // major version, then minor version. An example sorted list of versions:
262 // v10, v2, v1, v11beta2, v10beta3, v3beta1, v12alpha1, v11alpha2, foo1, foo10.
263 // +optional
264 // +listType=atomic
265 repeated CustomResourceDefinitionVersion versions = 7;
266
267 // additionalPrinterColumns specifies additional columns returned in Table output.
268 // See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
269 // If present, this field configures columns for all versions.
270 // Top-level and per-version columns are mutually exclusive.
271 // If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.
272 // +optional
273 // +listType=atomic
274 repeated CustomResourceColumnDefinition additionalPrinterColumns = 8;
275
276 // selectableFields specifies paths to fields that may be used as field selectors.
277 // See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors
278 //
279 // +featureGate=CustomResourceFieldSelectors
280 // +optional
281 // +listType=atomic
282 repeated SelectableField selectableFields = 11;
283
284 // conversion defines conversion settings for the CRD.
285 // +optional
286 optional CustomResourceConversion conversion = 9;
287
288 // preserveUnknownFields indicates that object fields which are not specified
289 // in the OpenAPI schema should be preserved when persisting to storage.
290 // apiVersion, kind, metadata and known fields inside metadata are always preserved.
291 // If false, schemas must be defined for all versions.
292 // Defaults to true in v1beta for backwards compatibility.
293 // Deprecated: will be required to be false in v1. Preservation of unknown fields can be specified
294 // in the validation schema using the `x-kubernetes-preserve-unknown-fields: true` extension.
295 // See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/#field-pruning for details.
296 // +optional
297 optional bool preserveUnknownFields = 10;
298}
299
300// CustomResourceDefinitionStatus indicates the state of the CustomResourceDefinition
301message CustomResourceDefinitionStatus {
302 // conditions indicate state for particular aspects of a CustomResourceDefinition
303 // +optional
304 // +listType=map
305 // +listMapKey=type
306 repeated CustomResourceDefinitionCondition conditions = 1;
307
308 // acceptedNames are the names that are actually being used to serve discovery.
309 // They may be different than the names in spec.
310 // +optional
311 optional CustomResourceDefinitionNames acceptedNames = 2;
312
313 // storedVersions lists all versions of CustomResources that were ever persisted. Tracking these
314 // versions allows a migration path for stored versions in etcd. The field is mutable
315 // so a migration controller can finish a migration to another version (ensuring
316 // no old objects are left in storage), and then remove the rest of the
317 // versions from this list.
318 // Versions may not be removed from `spec.versions` while they exist in this list.
319 // +optional
320 // +listType=atomic
321 repeated string storedVersions = 3;
322}
323
324// CustomResourceDefinitionVersion describes a version for CRD.
325message CustomResourceDefinitionVersion {
326 // name is the version name, e.g. “v1”, “v2beta1”, etc.
327 // The custom resources are served under this version at `/apis/<group>/<version>/...` if `served` is true.
328 optional string name = 1;
329
330 // served is a flag enabling/disabling this version from being served via REST APIs
331 optional bool served = 2;
332
333 // storage indicates this version should be used when persisting custom resources to storage.
334 // There must be exactly one version with storage=true.
335 optional bool storage = 3;
336
337 // deprecated indicates this version of the custom resource API is deprecated.
338 // When set to true, API requests to this version receive a warning header in the server response.
339 // Defaults to false.
340 // +optional
341 optional bool deprecated = 7;
342
343 // deprecationWarning overrides the default warning returned to API clients.
344 // May only be set when `deprecated` is true.
345 // The default warning indicates this version is deprecated and recommends use
346 // of the newest served version of equal or greater stability, if one exists.
347 // +optional
348 optional string deprecationWarning = 8;
349
350 // schema describes the schema used for validation and pruning of this version of the custom resource.
351 // Top-level and per-version schemas are mutually exclusive.
352 // Per-version schemas must not all be set to identical values (top-level validation schema should be used instead).
353 // +optional
354 optional CustomResourceValidation schema = 4;
355
356 // subresources specify what subresources this version of the defined custom resource have.
357 // Top-level and per-version subresources are mutually exclusive.
358 // Per-version subresources must not all be set to identical values (top-level subresources should be used instead).
359 // +optional
360 optional CustomResourceSubresources subresources = 5;
361
362 // additionalPrinterColumns specifies additional columns returned in Table output.
363 // See https://kubernetes.io/docs/reference/using-api/api-concepts/#receiving-resources-as-tables for details.
364 // Top-level and per-version columns are mutually exclusive.
365 // Per-version columns must not all be set to identical values (top-level columns should be used instead).
366 // If no top-level or per-version columns are specified, a single column displaying the age of the custom resource is used.
367 // +optional
368 // +listType=atomic
369 repeated CustomResourceColumnDefinition additionalPrinterColumns = 6;
370
371 // selectableFields specifies paths to fields that may be used as field selectors.
372 // See https://kubernetes.io/docs/concepts/overview/working-with-objects/field-selectors
373 //
374 // +featureGate=CustomResourceFieldSelectors
375 // +optional
376 // +listType=atomic
377 repeated SelectableField selectableFields = 9;
378}
379
380// CustomResourceSubresourceScale defines how to serve the scale subresource for CustomResources.
381message CustomResourceSubresourceScale {
382 // specReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `spec.replicas`.
383 // Only JSON paths without the array notation are allowed.
384 // Must be a JSON Path under `.spec`.
385 // If there is no value under the given path in the custom resource, the `/scale` subresource will return an error on GET.
386 optional string specReplicasPath = 1;
387
388 // statusReplicasPath defines the JSON path inside of a custom resource that corresponds to Scale `status.replicas`.
389 // Only JSON paths without the array notation are allowed.
390 // Must be a JSON Path under `.status`.
391 // If there is no value under the given path in the custom resource, the `status.replicas` value in the `/scale` subresource
392 // will default to 0.
393 optional string statusReplicasPath = 2;
394
395 // labelSelectorPath defines the JSON path inside of a custom resource that corresponds to Scale `status.selector`.
396 // Only JSON paths without the array notation are allowed.
397 // Must be a JSON Path under `.status` or `.spec`.
398 // Must be set to work with HorizontalPodAutoscaler.
399 // The field pointed by this JSON path must be a string field (not a complex selector struct)
400 // which contains a serialized label selector in string form.
401 // More info: https://kubernetes.io/docs/tasks/access-kubernetes-api/custom-resources/custom-resource-definitions#scale-subresource
402 // If there is no value under the given path in the custom resource, the `status.selector` value in the `/scale`
403 // subresource will default to the empty string.
404 // +optional
405 optional string labelSelectorPath = 3;
406}
407
408// CustomResourceSubresourceStatus defines how to serve the status subresource for CustomResources.
409// Status is represented by the `.status` JSON path inside of a CustomResource. When set,
410// * exposes a /status subresource for the custom resource
411// * PUT requests to the /status subresource take a custom resource object, and ignore changes to anything except the status stanza
412// * PUT/POST/PATCH requests to the custom resource ignore changes to the status stanza
413message CustomResourceSubresourceStatus {
414}
415
416// CustomResourceSubresources defines the status and scale subresources for CustomResources.
417message CustomResourceSubresources {
418 // status indicates the custom resource should serve a `/status` subresource.
419 // When enabled:
420 // 1. requests to the custom resource primary endpoint ignore changes to the `status` stanza of the object.
421 // 2. requests to the custom resource `/status` subresource ignore changes to anything other than the `status` stanza of the object.
422 // +optional
423 optional CustomResourceSubresourceStatus status = 1;
424
425 // scale indicates the custom resource should serve a `/scale` subresource that returns an `autoscaling/v1` Scale object.
426 // +optional
427 optional CustomResourceSubresourceScale scale = 2;
428}
429
430// CustomResourceValidation is a list of validation methods for CustomResources.
431message CustomResourceValidation {
432 // openAPIV3Schema is the OpenAPI v3 schema to use for validation and pruning.
433 // +optional
434 optional JSONSchemaProps openAPIV3Schema = 1;
435}
436
437// ExternalDocumentation allows referencing an external resource for extended documentation.
438message ExternalDocumentation {
439 optional string description = 1;
440
441 optional string url = 2;
442}
443
444// JSON represents any valid JSON value.
445// These types are supported: bool, int64, float64, string, []interface{}, map[string]interface{} and nil.
446message JSON {
447 optional bytes raw = 1;
448}
449
450// JSONSchemaProps is a JSON-Schema following Specification Draft 4 (http://json-schema.org/).
451message JSONSchemaProps {
452 optional string id = 1;
453
454 optional string schema = 2;
455
456 optional string ref = 3;
457
458 optional string description = 4;
459
460 optional string type = 5;
461
462 // format is an OpenAPI v3 format string. Unknown formats are ignored. The following formats are validated:
463 //
464 // - bsonobjectid: a bson object ID, i.e. a 24 characters hex string
465 // - uri: an URI as parsed by Golang net/url.ParseRequestURI
466 // - email: an email address as parsed by Golang net/mail.ParseAddress
467 // - hostname: a valid representation for an Internet host name, as defined by RFC 1034, section 3.1 [RFC1034].
468 // - ipv4: an IPv4 IP as parsed by Golang net.ParseIP
469 // - ipv6: an IPv6 IP as parsed by Golang net.ParseIP
470 // - cidr: a CIDR as parsed by Golang net.ParseCIDR
471 // - mac: a MAC address as parsed by Golang net.ParseMAC
472 // - uuid: an UUID that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{4}-?[0-9a-f]{12}$
473 // - uuid3: an UUID3 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?3[0-9a-f]{3}-?[0-9a-f]{4}-?[0-9a-f]{12}$
474 // - uuid4: an UUID4 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?4[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
475 // - uuid5: an UUID5 that allows uppercase defined by the regex (?i)^[0-9a-f]{8}-?[0-9a-f]{4}-?5[0-9a-f]{3}-?[89ab][0-9a-f]{3}-?[0-9a-f]{12}$
476 // - isbn: an ISBN10 or ISBN13 number string like "0321751043" or "978-0321751041"
477 // - isbn10: an ISBN10 number string like "0321751043"
478 // - isbn13: an ISBN13 number string like "978-0321751041"
479 // - creditcard: a credit card number defined by the regex ^(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|6(?:011|5[0-9][0-9])[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|(?:2131|1800|35\\d{3})\\d{11})$ with any non digit characters mixed in
480 // - ssn: a U.S. social security number following the regex ^\\d{3}[- ]?\\d{2}[- ]?\\d{4}$
481 // - hexcolor: an hexadecimal color code like "#FFFFFF: following the regex ^#?([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$
482 // - rgbcolor: an RGB color code like rgb like "rgb(255,255,2559"
483 // - byte: base64 encoded binary data
484 // - password: any kind of string
485 // - date: a date string like "2006-01-02" as defined by full-date in RFC3339
486 // - duration: a duration string like "22 ns" as parsed by Golang time.ParseDuration or compatible with Scala duration format
487 // - datetime: a date time string like "2014-12-15T19:30:20.000Z" as defined by date-time in RFC3339.
488 optional string format = 6;
489
490 optional string title = 7;
491
492 // default is a default value for undefined object fields.
493 // Defaulting is a beta feature under the CustomResourceDefaulting feature gate.
494 // CustomResourceDefinitions with defaults must be created using the v1 (or newer) CustomResourceDefinition API.
495 optional JSON default = 8;
496
497 optional double maximum = 9;
498
499 optional bool exclusiveMaximum = 10;
500
501 optional double minimum = 11;
502
503 optional bool exclusiveMinimum = 12;
504
505 optional int64 maxLength = 13;
506
507 optional int64 minLength = 14;
508
509 optional string pattern = 15;
510
511 optional int64 maxItems = 16;
512
513 optional int64 minItems = 17;
514
515 optional bool uniqueItems = 18;
516
517 optional double multipleOf = 19;
518
519 // +listType=atomic
520 repeated JSON enum = 20;
521
522 optional int64 maxProperties = 21;
523
524 optional int64 minProperties = 22;
525
526 // +listType=atomic
527 repeated string required = 23;
528
529 optional JSONSchemaPropsOrArray items = 24;
530
531 // +listType=atomic
532 repeated JSONSchemaProps allOf = 25;
533
534 // +listType=atomic
535 repeated JSONSchemaProps oneOf = 26;
536
537 // +listType=atomic
538 repeated JSONSchemaProps anyOf = 27;
539
540 optional JSONSchemaProps not = 28;
541
542 map<string, JSONSchemaProps> properties = 29;
543
544 optional JSONSchemaPropsOrBool additionalProperties = 30;
545
546 map<string, JSONSchemaProps> patternProperties = 31;
547
548 map<string, JSONSchemaPropsOrStringArray> dependencies = 32;
549
550 optional JSONSchemaPropsOrBool additionalItems = 33;
551
552 map<string, JSONSchemaProps> definitions = 34;
553
554 optional ExternalDocumentation externalDocs = 35;
555
556 optional JSON example = 36;
557
558 optional bool nullable = 37;
559
560 // x-kubernetes-preserve-unknown-fields stops the API server
561 // decoding step from pruning fields which are not specified
562 // in the validation schema. This affects fields recursively,
563 // but switches back to normal pruning behaviour if nested
564 // properties or additionalProperties are specified in the schema.
565 // This can either be true or undefined. False is forbidden.
566 optional bool xKubernetesPreserveUnknownFields = 38;
567
568 // x-kubernetes-embedded-resource defines that the value is an
569 // embedded Kubernetes runtime.Object, with TypeMeta and
570 // ObjectMeta. The type must be object. It is allowed to further
571 // restrict the embedded object. kind, apiVersion and metadata
572 // are validated automatically. x-kubernetes-preserve-unknown-fields
573 // is allowed to be true, but does not have to be if the object
574 // is fully specified (up to kind, apiVersion, metadata).
575 optional bool xKubernetesEmbeddedResource = 39;
576
577 // x-kubernetes-int-or-string specifies that this value is
578 // either an integer or a string. If this is true, an empty
579 // type is allowed and type as child of anyOf is permitted
580 // if following one of the following patterns:
581 //
582 // 1) anyOf:
583 // - type: integer
584 // - type: string
585 // 2) allOf:
586 // - anyOf:
587 // - type: integer
588 // - type: string
589 // - ... zero or more
590 optional bool xKubernetesIntOrString = 40;
591
592 // x-kubernetes-list-map-keys annotates an array with the x-kubernetes-list-type `map` by specifying the keys used
593 // as the index of the map.
594 //
595 // This tag MUST only be used on lists that have the "x-kubernetes-list-type"
596 // extension set to "map". Also, the values specified for this attribute must
597 // be a scalar typed field of the child structure (no nesting is supported).
598 //
599 // The properties specified must either be required or have a default value,
600 // to ensure those properties are present for all list items.
601 //
602 // +optional
603 // +listType=atomic
604 repeated string xKubernetesListMapKeys = 41;
605
606 // x-kubernetes-list-type annotates an array to further describe its topology.
607 // This extension must only be used on lists and may have 3 possible values:
608 //
609 // 1) `atomic`: the list is treated as a single entity, like a scalar.
610 // Atomic lists will be entirely replaced when updated. This extension
611 // may be used on any type of list (struct, scalar, ...).
612 // 2) `set`:
613 // Sets are lists that must not have multiple items with the same value. Each
614 // value must be a scalar, an object with x-kubernetes-map-type `atomic` or an
615 // array with x-kubernetes-list-type `atomic`.
616 // 3) `map`:
617 // These lists are like maps in that their elements have a non-index key
618 // used to identify them. Order is preserved upon merge. The map tag
619 // must only be used on a list with elements of type object.
620 // Defaults to atomic for arrays.
621 // +optional
622 optional string xKubernetesListType = 42;
623
624 // x-kubernetes-map-type annotates an object to further describe its topology.
625 // This extension must only be used when type is object and may have 2 possible values:
626 //
627 // 1) `granular`:
628 // These maps are actual maps (key-value pairs) and each fields are independent
629 // from each other (they can each be manipulated by separate actors). This is
630 // the default behaviour for all maps.
631 // 2) `atomic`: the list is treated as a single entity, like a scalar.
632 // Atomic maps will be entirely replaced when updated.
633 // +optional
634 optional string xKubernetesMapType = 43;
635
636 // x-kubernetes-validations describes a list of validation rules written in the CEL expression language.
637 // This field is an alpha-level. Using this field requires the feature gate `CustomResourceValidationExpressions` to be enabled.
638 // +patchMergeKey=rule
639 // +patchStrategy=merge
640 // +listType=map
641 // +listMapKey=rule
642 repeated ValidationRule xKubernetesValidations = 44;
643}
644
645// JSONSchemaPropsOrArray represents a value that can either be a JSONSchemaProps
646// or an array of JSONSchemaProps. Mainly here for serialization purposes.
647message JSONSchemaPropsOrArray {
648 optional JSONSchemaProps schema = 1;
649
650 // +listType=atomic
651 repeated JSONSchemaProps jSONSchemas = 2;
652}
653
654// JSONSchemaPropsOrBool represents JSONSchemaProps or a boolean value.
655// Defaults to true for the boolean property.
656message JSONSchemaPropsOrBool {
657 optional bool allows = 1;
658
659 optional JSONSchemaProps schema = 2;
660}
661
662// JSONSchemaPropsOrStringArray represents a JSONSchemaProps or a string array.
663message JSONSchemaPropsOrStringArray {
664 optional JSONSchemaProps schema = 1;
665
666 // +listType=atomic
667 repeated string property = 2;
668}
669
670// SelectableField specifies the JSON path of a field that may be used with field selectors.
671message SelectableField {
672 // jsonPath is a simple JSON path which is evaluated against each custom resource to produce a
673 // field selector value.
674 // Only JSON paths without the array notation are allowed.
675 // Must point to a field of type string, boolean or integer. Types with enum values
676 // and strings with formats are allowed.
677 // If jsonPath refers to absent field in a resource, the jsonPath evaluates to an empty string.
678 // Must not point to metdata fields.
679 // Required.
680 optional string jsonPath = 1;
681}
682
683// ServiceReference holds a reference to Service.legacy.k8s.io
684message ServiceReference {
685 // namespace is the namespace of the service.
686 // Required
687 optional string namespace = 1;
688
689 // name is the name of the service.
690 // Required
691 optional string name = 2;
692
693 // path is an optional URL path at which the webhook will be contacted.
694 // +optional
695 optional string path = 3;
696
697 // port is an optional service port at which the webhook will be contacted.
698 // `port` should be a valid port number (1-65535, inclusive).
699 // Defaults to 443 for backward compatibility.
700 // +optional
701 optional int32 port = 4;
702}
703
704// ValidationRule describes a validation rule written in the CEL expression language.
705message ValidationRule {
706 // Rule represents the expression which will be evaluated by CEL.
707 // ref: https://github.com/google/cel-spec
708 // The Rule is scoped to the location of the x-kubernetes-validations extension in the schema.
709 // The `self` variable in the CEL expression is bound to the scoped value.
710 // Example:
711 // - Rule scoped to the root of a resource with a status subresource: {"rule": "self.status.actual <= self.spec.maxDesired"}
712 //
713 // If the Rule is scoped to an object with properties, the accessible properties of the object are field selectable
714 // via `self.field` and field presence can be checked via `has(self.field)`. Null valued fields are treated as
715 // absent fields in CEL expressions.
716 // If the Rule is scoped to an object with additionalProperties (i.e. a map) the value of the map
717 // are accessible via `self[mapKey]`, map containment can be checked via `mapKey in self` and all entries of the map
718 // are accessible via CEL macros and functions such as `self.all(...)`.
719 // If the Rule is scoped to an array, the elements of the array are accessible via `self[i]` and also by macros and
720 // functions.
721 // If the Rule is scoped to a scalar, `self` is bound to the scalar value.
722 // Examples:
723 // - Rule scoped to a map of objects: {"rule": "self.components['Widget'].priority < 10"}
724 // - Rule scoped to a list of integers: {"rule": "self.values.all(value, value >= 0 && value < 100)"}
725 // - Rule scoped to a string value: {"rule": "self.startsWith('kube')"}
726 //
727 // The `apiVersion`, `kind`, `metadata.name` and `metadata.generateName` are always accessible from the root of the
728 // object and from any x-kubernetes-embedded-resource annotated objects. No other metadata properties are accessible.
729 //
730 // Unknown data preserved in custom resources via x-kubernetes-preserve-unknown-fields is not accessible in CEL
731 // expressions. This includes:
732 // - Unknown field values that are preserved by object schemas with x-kubernetes-preserve-unknown-fields.
733 // - Object properties where the property schema is of an "unknown type". An "unknown type" is recursively defined as:
734 // - A schema with no type and x-kubernetes-preserve-unknown-fields set to true
735 // - An array where the items schema is of an "unknown type"
736 // - An object where the additionalProperties schema is of an "unknown type"
737 //
738 // Only property names of the form `[a-zA-Z_.-/][a-zA-Z0-9_.-/]*` are accessible.
739 // Accessible property names are escaped according to the following rules when accessed in the expression:
740 // - '__' escapes to '__underscores__'
741 // - '.' escapes to '__dot__'
742 // - '-' escapes to '__dash__'
743 // - '/' escapes to '__slash__'
744 // - Property names that exactly match a CEL RESERVED keyword escape to '__{keyword}__'. The keywords are:
745 // "true", "false", "null", "in", "as", "break", "const", "continue", "else", "for", "function", "if",
746 // "import", "let", "loop", "package", "namespace", "return".
747 // Examples:
748 // - Rule accessing a property named "namespace": {"rule": "self.__namespace__ > 0"}
749 // - Rule accessing a property named "x-prop": {"rule": "self.x__dash__prop > 0"}
750 // - Rule accessing a property named "redact__d": {"rule": "self.redact__underscores__d > 0"}
751 //
752 // Equality on arrays with x-kubernetes-list-type of 'set' or 'map' ignores element order, i.e. [1, 2] == [2, 1].
753 // Concatenation on arrays with x-kubernetes-list-type use the semantics of the list type:
754 // - 'set': `X + Y` performs a union where the array positions of all elements in `X` are preserved and
755 // non-intersecting elements in `Y` are appended, retaining their partial order.
756 // - 'map': `X + Y` performs a merge where the array positions of all keys in `X` are preserved but the values
757 // are overwritten by values in `Y` when the key sets of `X` and `Y` intersect. Elements in `Y` with
758 // non-intersecting keys are appended, retaining their partial order.
759 //
760 // If `rule` makes use of the `oldSelf` variable it is implicitly a
761 // `transition rule`.
762 //
763 // By default, the `oldSelf` variable is the same type as `self`.
764 // When `optionalOldSelf` is true, the `oldSelf` variable is a CEL optional
765 // variable whose value() is the same type as `self`.
766 // See the documentation for the `optionalOldSelf` field for details.
767 //
768 // Transition rules by default are applied only on UPDATE requests and are
769 // skipped if an old value could not be found. You can opt a transition
770 // rule into unconditional evaluation by setting `optionalOldSelf` to true.
771 optional string rule = 1;
772
773 // Message represents the message displayed when validation fails. The message is required if the Rule contains
774 // line breaks. The message must not contain line breaks.
775 // If unset, the message is "failed rule: {Rule}".
776 // e.g. "must be a URL with the host matching spec.host"
777 optional string message = 2;
778
779 // MessageExpression declares a CEL expression that evaluates to the validation failure message that is returned when this rule fails.
780 // Since messageExpression is used as a failure message, it must evaluate to a string.
781 // If both message and messageExpression are present on a rule, then messageExpression will be used if validation
782 // fails. If messageExpression results in a runtime error, the runtime error is logged, and the validation failure message is produced
783 // as if the messageExpression field were unset. If messageExpression evaluates to an empty string, a string with only spaces, or a string
784 // that contains line breaks, then the validation failure message will also be produced as if the messageExpression field were unset, and
785 // the fact that messageExpression produced an empty string/string with only spaces/string with line breaks will be logged.
786 // messageExpression has access to all the same variables as the rule; the only difference is the return type.
787 // Example:
788 // "x must be less than max ("+string(self.max)+")"
789 // +optional
790 optional string messageExpression = 3;
791
792 // reason provides a machine-readable validation failure reason that is returned to the caller when a request fails this validation rule.
793 // The HTTP status code returned to the caller will match the reason of the reason of the first failed validation rule.
794 // The currently supported reasons are: "FieldValueInvalid", "FieldValueForbidden", "FieldValueRequired", "FieldValueDuplicate".
795 // If not set, default to use "FieldValueInvalid".
796 // All future added reasons must be accepted by clients when reading this value and unknown reasons should be treated as FieldValueInvalid.
797 // +optional
798 optional string reason = 4;
799
800 // fieldPath represents the field path returned when the validation fails.
801 // It must be a relative JSON path (i.e. with array notation) scoped to the location of this x-kubernetes-validations extension in the schema and refer to an existing field.
802 // e.g. when validation checks if a specific attribute `foo` under a map `testMap`, the fieldPath could be set to `.testMap.foo`
803 // If the validation checks two lists must have unique attributes, the fieldPath could be set to either of the list: e.g. `.testList`
804 // It does not support list numeric index.
805 // It supports child operation to refer to an existing field currently. Refer to [JSONPath support in Kubernetes](https://kubernetes.io/docs/reference/kubectl/jsonpath/) for more info.
806 // Numeric index of array is not supported.
807 // For field name which contains special characters, use `['specialName']` to refer the field name.
808 // e.g. for attribute `foo.34$` appears in a list `testList`, the fieldPath could be set to `.testList['foo.34$']`
809 // +optional
810 optional string fieldPath = 5;
811
812 // optionalOldSelf is used to opt a transition rule into evaluation
813 // even when the object is first created, or if the old object is
814 // missing the value.
815 //
816 // When enabled `oldSelf` will be a CEL optional whose value will be
817 // `None` if there is no old value, or when the object is initially created.
818 //
819 // You may check for presence of oldSelf using `oldSelf.hasValue()` and
820 // unwrap it after checking using `oldSelf.value()`. Check the CEL
821 // documentation for Optional types for more information:
822 // https://pkg.go.dev/github.com/google/cel-go/cel#OptionalTypes
823 //
824 // May not be set unless `oldSelf` is used in `rule`.
825 //
826 // +featureGate=CRDValidationRatcheting
827 // +optional
828 optional bool optionalOldSelf = 6;
829}
830
831// WebhookClientConfig contains the information to make a TLS connection with the webhook.
832message WebhookClientConfig {
833 // url gives the location of the webhook, in standard URL form
834 // (`scheme://host:port/path`). Exactly one of `url` or `service`
835 // must be specified.
836 //
837 // The `host` should not refer to a service running in the cluster; use
838 // the `service` field instead. The host might be resolved via external
839 // DNS in some apiservers (e.g., `kube-apiserver` cannot resolve
840 // in-cluster DNS as that would be a layering violation). `host` may
841 // also be an IP address.
842 //
843 // Please note that using `localhost` or `127.0.0.1` as a `host` is
844 // risky unless you take great care to run this webhook on all hosts
845 // which run an apiserver which might need to make calls to this
846 // webhook. Such installs are likely to be non-portable, i.e., not easy
847 // to turn up in a new cluster.
848 //
849 // The scheme must be "https"; the URL must begin with "https://".
850 //
851 // A path is optional, and if present may be any string permissible in
852 // a URL. You may use the path to pass an arbitrary string to the
853 // webhook, for example, a cluster identifier.
854 //
855 // Attempting to use a user or basic auth e.g. "user:password@" is not
856 // allowed. Fragments ("#...") and query parameters ("?...") are not
857 // allowed, either.
858 //
859 // +optional
860 optional string url = 3;
861
862 // service is a reference to the service for this webhook. Either
863 // service or url must be specified.
864 //
865 // If the webhook is running within the cluster, then you should use `service`.
866 //
867 // +optional
868 optional ServiceReference service = 1;
869
870 // caBundle is a PEM encoded CA bundle which will be used to validate the webhook's server certificate.
871 // If unspecified, system trust roots on the apiserver are used.
872 // +optional
873 optional bytes caBundle = 2;
874}
875
View as plain text