1 /* 2 Copyright 2022 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1 18 19 import ( 20 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 21 ) 22 23 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 24 25 // CredentialProviderConfig is the configuration containing information about 26 // each exec credential provider. Kubelet reads this configuration from disk and enables 27 // each provider as specified by the CredentialProvider type. 28 type CredentialProviderConfig struct { 29 metav1.TypeMeta `json:",inline"` 30 31 // providers is a list of credential provider plugins that will be enabled by the kubelet. 32 // Multiple providers may match against a single image, in which case credentials 33 // from all providers will be returned to the kubelet. If multiple providers are called 34 // for a single image, the results are combined. If providers return overlapping 35 // auth keys, the value from the provider earlier in this list is used. 36 Providers []CredentialProvider `json:"providers"` 37 } 38 39 // CredentialProvider represents an exec plugin to be invoked by the kubelet. The plugin is only 40 // invoked when an image being pulled matches the images handled by the plugin (see matchImages). 41 type CredentialProvider struct { 42 // name is the required name of the credential provider. It must match the name of the 43 // provider executable as seen by the kubelet. The executable must be in the kubelet's 44 // bin directory (set by the --image-credential-provider-bin-dir flag). 45 Name string `json:"name"` 46 47 // matchImages is a required list of strings used to match against images in order to 48 // determine if this provider should be invoked. If one of the strings matches the 49 // requested image from the kubelet, the plugin will be invoked and given a chance 50 // to provide credentials. Images are expected to contain the registry domain 51 // and URL path. 52 // 53 // Each entry in matchImages is a pattern which can optionally contain a port and a path. 54 // Globs can be used in the domain, but not in the port or the path. Globs are supported 55 // as subdomains like '*.k8s.io' or 'k8s.*.io', and top-level-domains such as 'k8s.*'. 56 // Matching partial subdomains like 'app*.k8s.io' is also supported. Each glob can only match 57 // a single subdomain segment, so *.io does not match *.k8s.io. 58 // 59 // A match exists between an image and a matchImage when all of the below are true: 60 // - Both contain the same number of domain parts and each part matches. 61 // - The URL path of an imageMatch must be a prefix of the target image URL path. 62 // - If the imageMatch contains a port, then the port must match in the image as well. 63 // 64 // Example values of matchImages: 65 // - 123456789.dkr.ecr.us-east-1.amazonaws.com 66 // - *.azurecr.io 67 // - gcr.io 68 // - *.*.registry.io 69 // - registry.io:8080/path 70 MatchImages []string `json:"matchImages"` 71 72 // defaultCacheDuration is the default duration the plugin will cache credentials in-memory 73 // if a cache duration is not provided in the plugin response. This field is required. 74 DefaultCacheDuration *metav1.Duration `json:"defaultCacheDuration"` 75 76 // Required input version of the exec CredentialProviderRequest. The returned CredentialProviderResponse 77 // MUST use the same encoding version as the input. Current supported values are: 78 // - credentialprovider.kubelet.k8s.io/v1 79 APIVersion string `json:"apiVersion"` 80 81 // Arguments to pass to the command when executing it. 82 // +optional 83 Args []string `json:"args,omitempty"` 84 85 // Env defines additional environment variables to expose to the process. These 86 // are unioned with the host's environment, as well as variables client-go uses 87 // to pass argument to the plugin. 88 // +optional 89 Env []ExecEnvVar `json:"env,omitempty"` 90 } 91 92 // ExecEnvVar is used for setting environment variables when executing an exec-based 93 // credential plugin. 94 type ExecEnvVar struct { 95 Name string `json:"name"` 96 Value string `json:"value"` 97 } 98